Commit Graph

281 Commits

Author SHA1 Message Date
renovate[bot] 01d7ef88e3 chore: bump up esbuild version to ^0.28.0 [SECURITY] (#15128)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [esbuild](https://redirect.github.com/evanw/esbuild) | [`^0.25.12` →
`^0.28.0`](https://renovatebot.com/diffs/npm/esbuild/0.25.12/0.28.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/esbuild/0.28.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/esbuild/0.25.12/0.28.1?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/5188) for more information.

---

### esbuild enables any website to send any requests to the development
server and read the response

[GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)

<details>
<summary>More information</summary>

#### Details
##### Summary

esbuild allows any websites to send any request to the development
server and read the response due to default CORS settings.

##### Details

esbuild sets `Access-Control-Allow-Origin: *` header to all requests,
including the SSE connection, which allows any websites to send any
request to the development server and read the response.


https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

**Attack scenario**:

1. The attacker serves a malicious web page
(`http://malicious.example.com`).
1. The user accesses the malicious web page.
1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request
by JS in that malicious web page. This request is normally blocked by
same-origin policy, but that's not the case for the reasons above.
1. The attacker gets the content of `http://127.0.0.1:8000/main.js`.

In this scenario, I assumed that the attacker knows the URL of the
bundle output file name. But the attacker can also get that information
by

- Fetching `/index.html`: normally you have a script tag here
- Fetching `/assets`: it's common to have a `assets` directory when you
have JS files and CSS files in a different directory and the directory
listing feature tells the attacker the list of files
- Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL
path of the changed files when the file is changed (`new
EventSource('/esbuild').addEventListener('change', e =>
console.log(e.type, e.data))`)
- Fetching URLs in the known file: once the attacker knows one file, the
attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has
the source map option enabled, the attacker can also get the
non-compiled content by fetching the source map file.

##### PoC

1. Download
[reproduction.zip](https://redirect.github.com/user-attachments/files/18561484/reproduction.zip)
2. Extract it and move to that directory
1. Run `npm i`
1. Run `npm run watch`
1. Run `fetch('http://127.0.0.1:8000/app.js').then(r =>
r.text()).then(content => console.log(content))` in a different
website's dev tools.


![image](https://redirect.github.com/user-attachments/assets/08fc2e4d-e1ec-44ca-b0ea-78a73c3c40e9)

##### Impact

Users using the serve feature may get the source code stolen by
malicious websites.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
-
[https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99)
-
[https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d](https://redirect.github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d)
-
[https://github.com/advisories/GHSA-67mh-4wv8-2f99](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-67mh-4wv8-2f99)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### esbuild allows arbitrary file read when running the development
server on Windows

[GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)

<details>
<summary>More information</summary>

#### Details
##### Summary

The development server contains a path traversal vulnerability on
Windows when serving files from `servedir`.

Due to the use of `path.Clean()` (which only normalizes forward-slash
`/` separators) instead of a Windows-aware path normalization function,
it is possible to craft requests using backslashes (`\`) that bypass the
intended directory containment logic. An attacker can escape the
configured `servedir` root and access arbitrary files on the filesystem.
This issue affects Windows environments only.

##### Details

The request path is sanitized using:
```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
queryPath := path.Clean(req.URL.Path)[1:]
```

However:
- `path.Clean()` is POSIX-style and only understands `/` (docs:
`https://pkg.go.dev/path#Clean`)
- On Windows, `\` is a valid path separator
- `path.Clean()` does not treat `\` as a separator

Later, the server constructs the absolute path:
```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L221
absPath := h.fs.Join(h.servedir, queryPath)
```

If `queryPath` contains sequences such as:
```
..\..\..\..\..\..\..\Windows\system.ini
```

`path.Clean()` will not normalize them, but the Windows filesystem will
interpret `\` as directory separators when resolving `absPath`.
Because the implementation does not verify that the final resolved path
remains within `servedir`, it allows directory traversal outside the
intended root directory.

##### Vulnerable Code

```go
// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
	queryPath := path.Clean(req.URL.Path)[1:]
	....
	// Check for a file in the "servedir" directory
	if h.servedir != "" && kind != fs.FileEntry {
		absPath := h.fs.Join(h.servedir, queryPath)
		if absDir := h.fs.Dir(absPath); absDir != absPath {
			if entries, err, _ := h.fs.ReadDirectory(absDir); err == nil {
				if entry, _ := entries.Get(h.fs.Base(absPath)); entry != nil && entry.Kind(h.fs) == fs.FileEntry {
	....				
```

##### Steps to reproduce

```
npm install --save-exact --save-dev esbuild

echo "console.log(1)" > app.js

.\node_modules\.bin\esbuild --version
0.27.3

.\node_modules\.bin\esbuild app.js --bundle --outdir=www --servedir=www --watch

curl -i --path-as-is "http://localhost:8000/..\..\..\..\..\..\..\Windows\system.ini"
<content of Windows\system.ini>
```

##### Impact

- Arbitrary file read on Windows
- Exposure of sensitive files

#### Severity
- CVSS Score: 2.5 / 10 (Low)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N`

#### References
-
[https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr)
-
[https://github.com/evanw/esbuild/releases/tag/v0.28.1](https://redirect.github.com/evanw/esbuild/releases/tag/v0.28.1)
-
[https://github.com/advisories/GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-g7r4-m6w7-qqqr)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>evanw/esbuild (esbuild)</summary>

###
[`v0.28.1`](https://redirect.github.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0281)

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.28.0...v0.28.1)

- Disallow `\\` in local development server HTTP requests
([GHSA-g7r4-m6w7-qqqr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr))

This release fixes a security issue where HTTP requests to esbuild's
local development server could traverse outside of the serve directory
on Windows using a `\\` backslash character. It happened due to the use
of Go's `path.Clean()` function, which only handles Unix-style `/`
characters. HTTP requests with paths containing `\\` are no longer
allowed.

Thanks to [@&#8203;dellalibera](https://redirect.github.com/dellalibera)
for reporting this issue.

- Add integrity checks to the Deno API
([GHSA-gv7w-rqvm-qjhr](https://redirect.github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr))

The previous release of esbuild added integrity checks to esbuild's npm
install script. This release also adds integrity checks to esbuild's
Deno install script. Now esbuild's Deno API will also fail with an error
if the downloaded esbuild binary contains something other than the
expected content.

Note that esbuild's Deno API installs from `registry.npmjs.org` by
default, but allows the `NPM_CONFIG_REGISTRY` environment variable to
override this with a custom package registry. This change means that the
esbuild executable served by `NPM_CONFIG_REGISTRY` must now match the
expected content.

Thanks to [@&#8203;sondt99](https://redirect.github.com/sondt99) for
reporting this issue.

- Avoid inlining `using` and `await using` declarations
([#&#8203;4482](https://redirect.github.com/evanw/esbuild/issues/4482))

Previously esbuild's minifier sometimes incorrectly inlined `using` and
`await using` declarations into subsequent uses of that declaration,
which then fails to dispose of the resource correctly. This bug happened
because inlining was done for `let` and `const` declarations by avoiding
doing it for `var` declarations, which no longer worked when more
declaration types were added. Here's an example:

  ```js
  // Original code
  {
    using x = new Resource()
    x.activate()
  }

  // Old output (with --minify)
  new Resource().activate();

  // New output (with --minify)
  {using e=new Resource;e.activate()}
  ```

- Fix module evaluation when an error is thrown
([#&#8203;4461](https://redirect.github.com/evanw/esbuild/issues/4461),
[#&#8203;4467](https://redirect.github.com/evanw/esbuild/pull/4467))

If an error is thrown during module evaluation, esbuild previously
didn't preserve the state of the module for subsequent module
references. This was observable if `import()` or `require()` is used to
import a module multiple times. The thrown error is supposed to be
thrown by every call to `import()` or `require()`, not just the first.
With this release, esbuild will now throw the same error every time you
call `import()` or `require()` on a module that throws during its
evaluation.

- Fix some edge cases around the `new` operator
([#&#8203;4477](https://redirect.github.com/evanw/esbuild/issues/4477))

Previously esbuild incorrectly printed certain edge cases involving
complex expressions inside the target of a `new` expression
(specifically an optional chain and/or a tagged template literal). The
generated code for the `new` target was not correctly wrapped with
parentheses, and either contained a syntax error or had different
semantics. These edge cases have been fixed so that they now correctly
wrap the `new` target in parentheses. Here is an example of some
affected code:

  ```js
  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()

  // Old output
  new foo()`bar`();
  new (foo())?.bar();

  // New output
  new (foo())`bar`();
  new (foo()?.bar)();
  ```

- Fix renaming of nested `var` declarations
([#&#8203;4471](https://redirect.github.com/evanw/esbuild/issues/4471))

This release fixes a bug where `var` declarations in nested scopes that
are hoisted up to module scope were not correctly being renamed during
bundling. That could previously lead to name collisions when
minification was disabled, which could potentially cause a behavior
change. The bug has been fixed so that these hoisted declarations are
now considered to be module-level symbols during the name collision
avoidance pass.

- Emit `var` instead of `const` for certain TypeScript-only constructs
for ES5
([#&#8203;4448](https://redirect.github.com/evanw/esbuild/issues/4448))

While esbuild doesn't generally support converting `const` to `var` for
ES5 due to nested scoping rules (which is currently a build-time error),
esbuild previously incorrectly converted TypeScript-only `import`
assignment constructs into a `const` declaration even when targeting
ES5. With this release, esbuild will now use `var` for this case
instead:

  ```js
  // Original code
  import x = require('y')

  // Old output (with --target=es5)
  const x = require("y");

  // New output (with --target=es5)
  var x = require("y");
  ```

### [`v0.28.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.7...v0.28.0)

### [`v0.27.7`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.5...v0.27.7)

### [`v0.27.5`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.4...v0.27.5)

### [`v0.27.4`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.3...v0.27.4)

### [`v0.27.3`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.2...v0.27.3)

### [`v0.27.2`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.1...v0.27.2)

### [`v0.27.1`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.27.0...v0.27.1)

### [`v0.27.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.26.0...v0.27.0)

### [`v0.26.0`]()

[Compare
Source](https://redirect.github.com/evanw/esbuild/compare/v0.25.12...v0.26.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-18 17:41:44 +08:00
DarkSky d500e472f0 chore: bump deps (#15124) 2026-06-18 12:55:18 +08:00
DarkSky da7781a751 feat(mobile): improve android edgeless & ci (#15118)
#### PR Dependency Tree


* **PR #15118** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Improved mobile CI workflow with change-aware Android/iOS build jobs
and updated completion dependencies so tests wait for the relevant
mobile builds.
* **Performance / App Behavior**
* Enhanced Android WebView behavior: improved viewport/WebView tuning,
disabled zoom and scrollbars, and made mixed-content allowance
environment-aware (debug vs non-debug).
* Adjusted Android cleartext traffic handling based on build/debug
settings and Capacitor server URL configuration.
* **Tests**
* Strengthened Electron BYOK storage tests with per-test temporary
directories, mock control, and added coverage for when secure storage is
unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-17 02:08:15 +08:00
keepClamDown a77d89bb1a fix(editor): edgeless can't slider with finger (#15091)
fix bug edgeless can't slider with finger 

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added mobile immersive edgeless mode with dynamic chrome auto-hide and
tap-gesture controls.
  * Added a mobile zoom ruler UI for edgeless.
* **Bug Fixes**
* Improved iOS rendering/zoom by applying low-zoom survival behavior,
gesture-aware refresh deferral, and effective-DPR canvas scaling.
* Fixed iOS webview zoom/bounce and process-termination reload behavior.
  * Improved placeholder styling with theme-aware colors.
* **Chores**
  * Updated local ignore rules and iOS app build/version configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: DarkSky <darksky2048@gmail.com>
2026-06-16 21:19:31 +08:00
DarkSky d10dd12663 fix(core): transport may not available (#15087)
fix #15086


#### PR Dependency Tree


* **PR #15087** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Console logging is now disabled in production builds to reduce
unnecessary log output, while remaining enabled in development for
debugging purposes.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-06 18:32:54 +08:00
DarkSky aca47445aa feat(client): migration old package to rspack (#15068)
#### PR Dependency Tree


* **PR #15068** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Vitest across packages to 4.1.8 and bumped Tailwind PostCSS
to 4.3.0
* CLI/tooling updated to support the media-capture-playground package
and adjust build/dev server behavior

* **Bug Fixes**
  * Improved workspace deletion reliability in the Electron app

* **Refactor**
* Simplified media capture playground build setup (build/config
adjustments)

* **Tests**
* Made tests more robust by preserving/restoring environment state
during runs
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-02 12:00:50 +08:00
DarkSky 38110de134 fix(core): desktop e2e (#15062)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Sign-in flows now reliably propagate richer authentication results
(user data and session type), improving persistence and reducing
intermittent sign-in issues.
* Native token handling gains a fallback for environments without
encrypted storage, improving session reliability.

* **New Features**
* User-visible warning when sign-in is session-only because encrypted
storage is unavailable.

* **Chores**
  * Tooling ignore patterns updated to exclude .codex.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 23:54:41 +08:00
DarkSky 7123595831 chore: bump deps (#15059)
#### PR Dependency Tree


* **PR #15059** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Configurable minimum account age before new accounts can invite
members or create share links (default: 24 hours).
* Sign-in now returns and caches user info for improved session
handling.

* **Bug Fixes**
  * Queue handling accepts and resolves job IDs with special characters.
* Improved clipboard/rich-text caret handling and nested-list paste
reliability.
  * Calendar tests use dynamic current-month dates.
  * AI search returns explicit "No matching documents" when none found.
  * Auth session responses are explicitly non-cacheable.

* **Chores**
* Dependency and toolchain bumps; admin UI config/schema exposes the new
account-age setting.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 20:13:59 +08:00
DarkSky ce9841df9d feat(server): passkey pre-refactor (#15060)
#### PR Dependency Tree


* **PR #15060** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* OpenApp native sign-in and native session exchange (JWT) for mobile &
desktop.
  * Centralized short-lived auth challenge store for one-time tokens.
* Encrypted per-endpoint token storage and native token handlers
(Android, iOS, Electron).

* **Improvements**
* Richer auth-method reporting (password, magic link, OAuth, passkey)
and improved sign-in flows.
* Hardened magic-link, OAuth, and session issuance; JWT-backed sessions
and websocket JWT support.
* UX tweaks: form-based password submit, OTP autocomplete, adjusted
captcha flow.

* **Bug Fixes**
  * Expanded tests and auth-state resets to avoid cross-test leakage.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-01 17:11:15 +08:00
DarkSky 6d1172ba44 chore: bump deps 2026-05-24 07:13:16 +08:00
DarkSky eb9cc22502 feat(server): refactor for byok (#14911) 2026-05-07 04:03:14 +08:00
DarkSky 4e169ea5c7 fix(editor): cross browser test stability (#14897)
#### PR Dependency Tree


* **PR #14897** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved reliability of shape and connector detection by forcing full
DOM renders during waits.
* Fixed race conditions in code-block theme loading and cleanup when
components unmount.
* Refined viewport element discovery to correctly handle
rotated/canvas-layer elements and avoid stale DOM removal.

* **Tests**
  * Increased polling timeouts and retries to reduce flakiness.
* Disabled per-file parallelism and ensured test setup performs full
cleanup before starting; extended test timeout.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-04 20:07:40 +08:00
renovate[bot] df482c9cf2 chore: bump up uuid version to v14 [SECURITY] (#14870)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` →
`^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/uuid/14.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/uuid/13.0.0/14.0.0?slim=true)
|

---

### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

[GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

<details>
<summary>More information</summary>

#### Details
##### Summary

`v3`, `v5`, and `v6` accept external output buffers but do not reject
out-of-range writes (small `buf` or large `offset`).
By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on
invalid bounds.

This inconsistency allows **silent partial writes** into caller-provided
buffers.

##### Affected code

- `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds
validation.
- `src/v6.ts` writes `buf[offset + i]` without bounds validation.

##### Reproducible PoC

```bash
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"
```

Observed:

- `v4 THREW RangeError`
- `v5 NO_THROW`
- `v6 NO_THROW`

Example partial overwrite evidence captured during audit:

```text
same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
```

##### Security impact

- **Primary**: integrity/robustness issue (silent partial output).
- If an application assumes full UUID writes into preallocated buffers,
this can produce malformed/truncated/partially stale identifiers without
error.
- In systems where caller-controlled offsets/buffer sizes are exposed
indirectly, this may become a security-relevant logic flaw.

##### Suggested fix

Add the same guard used by `v4`/`v1`/`v7`:

```ts
if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}
```

Apply to:

- `src/v35.ts` (covers `v3` and `v5`)
- `src/v6.ts`

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq)
-
[https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34)
-
[https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0)
-
[https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>uuidjs/uuid (uuid)</summary>

###
[`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19)

[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0)

##### Security

- Fixes
[GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq):
`v3()`, `v5()`, and `v6()` did not validate that writes would remain
within the bounds of a caller-supplied buffer, allowing out-of-bounds
writes when an invalid `offset` was provided. A `RangeError` is now
thrown if `offset < 0` or `offset + 16 > buf.length`.

##### ⚠ BREAKING CHANGES

- `crypto` is now expected to be globally defined (requires
node\@&#8203;20+)
([#&#8203;935](https://redirect.github.com/uuidjs/uuid/issues/935))
- drop node\@&#8203;18 support
([#&#8203;934](https://redirect.github.com/uuidjs/uuid/issues/934))
- upgrade minimum supported TypeScript version to 5.4.3, in keeping with
the project's policy of supporting TypeScript versions released within
the last two years

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-26 00:48:53 +08:00
DarkSky c6a99eb9cb chore: bump deps (#14810)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated developer tooling dependencies used for local testing to newer
patch versions for improved stability.
* Bumped backend framework and related packages to newer patch releases
to address fixes and maintain compatibility.
* No functional or public API changes; updates are non-breaking
dependency version bumps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-09 12:41:38 +08:00
DarkSky fee0cfa3f4 chore: bump deps (#14785)
#### PR Dependency Tree


* **PR #14785** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Updated error-tracking SDK versions across frontend packages.
* Upgraded Electron build toolchain and front-end build plugins for
improved compatibility.
* Replaced a SWC-based React plugin with the standard React Vite plugin.
  * Removed unused development dependencies from CLI tooling.
  * Bumped a Rust workspace dependency to a patch release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-05 12:25:18 +08:00
DarkSky 233004f867 chore: bump oxlint & enable more supported rules (#14769) 2026-04-03 03:36:52 +08:00
DarkSky 91ad783973 fix(test): e2e stability (#14749)
#### PR Dependency Tree


* **PR #14749** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved link preview reliability by updating request identification
to better match modern browsers.
* **Tests**
* Made end-to-end and integration tests deterministic and more robust,
improving AI chat, image generation, attachment handling, settings
visibility, and editor flows.
* **Chores**
* Updated underlying tooling versions to enhance stability and
compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-29 23:26:15 +08:00
DarkSky 5b05c5a1b2 feat(server): refactor record schema (#14729)
#### PR Dependency Tree


* **PR #14729** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Transcriptions now produce structured meeting summaries (strict JSON)
and a normalized, speaker‑tagged, non‑overlapping transcript with legacy
projection support.

* **API**
* Submission accepts richer transcription input; results return
source‑audio metadata, slice manifest, quality indicators, normalized
segments/transcript, and structured summary JSON.

* **Frontend**
* Recording flow stores transcription metadata and uploads preprocessed
audio slices with slice/quality info; UI-side result normalization
applied.

* **Tests**
* Expanded unit, contract, and e2e coverage for normalization, payload
parsing, persistence/retry, and end‑to‑end transcription flows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-26 21:32:36 +08:00
DarkSky 9b56a05159 feat(native): async recorder (#14700)
#### PR Dependency Tree


* **PR #14700** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Durable, resumable import queue with explicit import lifecycle and
updated popup/tray status behavior.
* Async native recording APIs and ability to abort recordings; audio
quality metrics (degraded, overflow count).
  * Added "Importing..." translation.

* **Bug Fixes**
* More reliable single-claim import processing, retries and cleanup to
avoid duplicate imports.
  * Improved stop/abort teardown stability and safer shutdown behavior.

* **Tests**
* New/updated tests covering coordinator, import queue, native async
flows and teardown scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-23 22:38:52 +08:00
DarkSky dcf041a3f2 fix(editor): ci stability (#14704)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Improved Electron shutdown, diagnostics and tab teardown for more
reliable exits and forced cleanup on stubborn processes.
* **Tests**
* Added polling-based test helpers, stronger scroll/page readiness,
timeout-tolerant page selection, and async cleanup/worker teardown;
updated many tests to wait for UI/model updates and rendering frames.
* **Bug Fixes**
* Reduced flakiness by awaiting paragraph visibility, nested counts,
selection/navigation stability, tab counts, post-action renders, and
safer element interactions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-23 16:25:15 +08:00
DarkSky bcf2a51d41 feat(native): record encoding (#14188)
fix #13784 

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Start/stop system or meeting recordings with Ogg/Opus artifacts and
native start/stop APIs; workspace backup recovery.

* **Refactor**
* Simplified recording lifecycle and UI flows; native runtime now
orchestrates recording/processing and reporting.

* **Bug Fixes**
* Stronger path validation, safer import/export dialogs, consistent
error handling/logging, and retry-safe recording processing.

* **Chores**
* Added cross-platform native audio capture and Ogg/Opus encoding
support.

* **Tests**
* New unit, integration, and e2e tests for recording, path guards,
dialogs, and workspace recovery.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-22 02:50:14 +08:00
DarkSky 7ac8b14b65 feat(editor): migrate typst mermaid to native (#14499)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Native/WASM Mermaid and Typst SVG preview rendering on desktop and
mobile, plus cross-platform Preview plugin integrations.

* **Improvements**
* Centralized, sanitized rendering bridge with automatic Typst
font-directory handling and configurable native renderer selection.
* More consistent and robust error serialization and worker-backed
preview flows for improved stability and performance.

* **Tests**
* Extensive unit and integration tests for preview rendering, font
discovery, sanitization, and error serialization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-20 04:04:40 +08:00
DarkSky 1ffb8c922c fix(native): cleanup deleted docs and blobs (#14689) 2026-03-20 04:00:25 +08:00
DarkSky d6d5ae6182 fix(electron): create doc shortcut should follow default type in settings (#14678) 2026-03-18 14:58:22 +08:00
DarkSky f34e25e122 test: migrate test & utils (#14569)
#### PR Dependency Tree


* **PR #14569** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded development test tooling to Vitest v4 and added Playwright
browser test integration; normalized test configurations and CI shard
matrix.

* **Tests**
* Added a large suite of new integration tests covering editor flows
(edgeless, database, embeds, images, latex, code, clipboard,
multi-editor, presentation, undo/redo, etc.).
* Removed numerous end-to-end Playwright test suites across the same
feature areas.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-07 04:12:27 +08:00
DarkSky 2cb171f553 feat: cleanup webpack deps (#14530)
#### PR Dependency Tree


* **PR #14530** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Breaking Changes**
  * Webpack bundler support removed from the build system
* Bundler selection parameter removed from build and development
commands

* **Refactor**
  * Build configuration consolidated to a single bundler approach
* Webpack-specific build paths and workflows removed; development server
simplified

* **Chores**
  * Removed webpack-related dev dependencies and tooling
  * Updated package build scripts for a unified bundle command

* **Dependencies**
* Upgraded Sentry packages across frontend packages
(react/electron/esbuild plugin)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-28 00:24:08 +08:00
DarkSky 046e126054 feat: bump typescript (#14507)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Upgraded TypeScript toolchain to v5.9.3 across packages and tooling.
* Removed legacy ts-node and migrated developer tooling to newer
runtimes (tsx/SWC) where applicable.
* **Documentation**
* Updated developer CLI docs and runtime behavior notes to reflect the
new loader/runtime for running TypeScript files; no changes to public
APIs or end-user behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-24 13:22:46 +08:00
DarkSky c2c7dde06c chore: bump deps (#14506)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Version bumped to 0.26.3 across the project and Helm charts.
  * Removed an unused dependency (minimatch) from multiple packages.
* Updated build/tooling and packaging metadata, including packaging
maker replacement.
  * Adjusted app release metadata and platform packaging config.

* **Tests**
* Updated test snapshots to reflect minor presentational styling
adjustments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-24 09:11:41 +08:00
DarkSky 6d805b302c docs: cleanup outdated infos 2026-02-23 21:03:13 +08:00
DarkSky ef6717e59a fix(editor): editor behavior and styles (#14498)
fix #14269 
fix #13920
fix #13977
fix #13953
fix #13895
fix #13905
fix #14136
fix #14357
fix #14491

#### PR Dependency Tree


* **PR #14498** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
  * Callout and toolbar defaults now reliably show grey backgrounds
  * Keyboard shortcuts behave better across layouts and non-ASCII input
  * Deleted workspaces no longer appear in local listings

* **New Features**
  * Cell editing now respects pre-entry validation hooks
* Scrollbars use themeable variables and include Chromium compatibility
fixes

* **Style**
  * Minor UI color adjustment for hidden properties

* **Tests**
  * Added unit tests for table column handling and keymap behavior
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-23 06:37:16 +08:00
DarkSky ad988dbd1e chore: trim useless files for client (#14488)
#### PR Dependency Tree


* **PR #14488** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Improved Electron build to trim unused locale files on macOS, Windows,
and Linux while always preserving English fallbacks; added post-build
cleanup and stricter packaging ignore rules to exclude tests, examples,
scripts, docs, README, and build metadata.
* **Style**
  * Reformatted a TypeScript type annotation for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-22 17:17:42 +08:00
DarkSky 2414aa5848 feat: improve admin build (#14485)
#### PR Dependency Tree


* **PR #14485** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Admin static assets now served under /admin for self-hosted installs
  * CLI is directly executable from the command line
  * Build tooling supports a configurable self-hosted public path
  * Updated admin package script for adding UI components
* Added a PostCSS dependency and plugin to the build toolchain for admin
builds

* **Style**
* Switched queue module to a local queuedash stylesheet, added queuedash
Tailwind layer, and scoped queuedash styles for the admin UI

* **Bug Fixes**
  * Improved error propagation in the Electron renderer
* Migration compatibility to repair a legacy checksum during native
storage upgrades

* **Tests**
  * Added tests covering the migration repair flow
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-21 23:25:05 +08:00
DarkSky 0de1bd0da8 feat: bump deps (#14484) 2026-02-21 08:04:18 +08:00
DarkSky 850e646ab9 fix: electon rendering on windows (#14456)
fix #14450
fix #14401
fix #13983
fix #12766
fix #14404
fix #12019

#### PR Dependency Tree


* **PR #14456** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added new tab navigation functions: `switchTab`, `switchToNextTab`,
and `switchToPreviousTab`.

* **Bug Fixes**
  * Improved bounds validation for tab view resizing.
  * Enhanced tab lifecycle management during navigation events.
  * Refined background throttling behavior for active tabs.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-16 14:08:26 +08:00
renovate[bot] 52c7b04a01 chore: bump up @vitejs/plugin-react-swc version to v4 (#14405)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@vitejs/plugin-react-swc](https://redirect.github.com/vitejs/vite-plugin-react/tree/main/packages/plugin-react-swc#readme)
([source](https://redirect.github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react-swc))
| [`^3.7.2` →
`^4.0.0`](https://renovatebot.com/diffs/npm/@vitejs%2fplugin-react-swc/3.9.0/4.2.3)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@vitejs%2fplugin-react-swc/4.2.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@vitejs%2fplugin-react-swc/3.9.0/4.2.3?slim=true)
|

---

### Release Notes

<details>
<summary>vitejs/vite-plugin-react
(@&#8203;vitejs/plugin-react-swc)</summary>

###
[`v4.2.3`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#423-2026-02-02)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/5e600a31ec27fae54df58a46ef1fffa80238042e...12914fa8c1d32323db6a134d46cd0ca83db91cd1)

###
[`v4.2.2`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#422-2025-11-12)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/v4.2.1...5e600a31ec27fae54df58a46ef1fffa80238042e)

##### Update code to support newer `rolldown-vite`
([#&#8203;978](https://redirect.github.com/vitejs/vite-plugin-react/pull/978))

`rolldown-vite` will remove `optimizeDeps.rollupOptions` in favor of
`optimizeDeps.rolldownOptions` soon. This plugin now uses
`optimizeDeps.rolldownOptions` to support newer `rolldown-vite`. Please
update `rolldown-vite` to the latest version if you are using an older
version.

###
[`v4.2.1`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#421-2025-11-05)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/v4.2.0...v4.2.1)

##### Fix `@vitejs/plugin-react-swc/preamble` on build
([#&#8203;962](https://redirect.github.com/vitejs/vite-plugin-react/pull/962))

###
[`v4.2.0`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#420-2025-10-24)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/v4.1.0...v4.2.0)

##### Add `@vitejs/plugin-react-swc/preamble` virtual module for SSR HMR
([#&#8203;890](https://redirect.github.com/vitejs/vite-plugin-react/pull/890))

SSR applications can now initialize HMR runtime by importing
`@vitejs/plugin-react-swc/preamble` at the top of their client entry
instead of manually calling `transformIndexHtml`. This simplifies SSR
setup for applications that don't use the `transformIndexHtml` API.

##### Use SWC when useAtYourOwnRisk\_mutateSwcOptions is provided
([#&#8203;951](https://redirect.github.com/vitejs/vite-plugin-react/pull/951))

Previously, this plugin did not use SWC if plugins were not provided
even if `useAtYourOwnRisk_mutateSwcOptions` was provided. This is now
fixed.

###
[`v4.1.0`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#410-2025-09-17)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/f21864b102d40fca4f70dfe9112a10101ec12f54...v4.1.0)

##### Set SWC cacheRoot options

This is set to `{viteCacheDir}/swc` and override the default of `.swc`.

##### Perf: simplify refresh wrapper generation
([#&#8203;835](https://redirect.github.com/vitejs/vite-plugin-react/pull/835))

###
[`v4.0.1`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#401-2025-08-19)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/590f394c1e451987258ed64a4b5fb6207c5e8261...f21864b102d40fca4f70dfe9112a10101ec12f54)

##### Set `optimizeDeps.rollupOptions.transform.jsx` instead of
`optimizeDeps.rollupOptions.jsx` for rolldown-vite
([#&#8203;735](https://redirect.github.com/vitejs/vite-plugin-react/pull/735))

`optimizeDeps.rollupOptions.jsx` is going to be deprecated in favor of
`optimizeDeps.rollupOptions.transform.jsx`.

###
[`v4.0.0`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#400-2025-08-07)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/9e0c1038959e828865be810a164a51c3db1ac375...590f394c1e451987258ed64a4b5fb6207c5e8261)

###
[`v3.11.0`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#3110-2025-07-18)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/32d49ecf9b15e3070c7abe5a176252a3fe542e5c...9e0c1038959e828865be810a164a51c3db1ac375)

##### Add HMR support for compound components
([#&#8203;518](https://redirect.github.com/vitejs/vite-plugin-react/pull/518))

HMR now works for compound components like this:

```tsx
const Root = () => <div>Accordion Root</div>
const Item = () => <div>Accordion Item</div>

export const Accordion = { Root, Item }
```

##### Return `Plugin[]` instead of `PluginOption[]`
([#&#8203;537](https://redirect.github.com/vitejs/vite-plugin-react/pull/537))

The return type has changed from `react(): PluginOption[]` to more
specialized type `react(): Plugin[]`. This allows for type-safe
manipulation of plugins, for example:

```tsx
// previously this causes type errors
react()
  .map(p => ({ ...p, applyToEnvironment: e => e.name === 'client' }))
```

###
[`v3.10.2`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#3102-2025-06-10)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/8ce7183265c43f88623655a9cfdcec5282068f9b...32d49ecf9b15e3070c7abe5a176252a3fe542e5c)

##### Suggest `@vitejs/plugin-react-oxc` if rolldown-vite is detected
[#&#8203;491](https://redirect.github.com/vitejs/vite-plugin-react/pull/491)

Emit a log which recommends `@vitejs/plugin-react-oxc` when
`rolldown-vite` is detected to improve performance and use Oxc under the
hood. The warning can be disabled by setting `disableOxcRecommendation:
true` in the plugin options.

##### Use `optimizeDeps.rollupOptions` instead of
`optimizeDeps.esbuildOptions` for rolldown-vite
[#&#8203;489](https://redirect.github.com/vitejs/vite-plugin-react/pull/489)

This suppresses the warning about `optimizeDeps.esbuildOptions` being
deprecated in rolldown-vite.

##### Add Vite 7-beta to peerDependencies range
[#&#8203;497](https://redirect.github.com/vitejs/vite-plugin-react/pull/497)

React plugins are compatible with Vite 7, this removes the warning when
testing the beta.

###
[`v3.10.1`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#3101-2025-06-03)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/dcadcfc2841c0bedfe44279c556835c350dfa5fa...8ce7183265c43f88623655a9cfdcec5282068f9b)

##### Add explicit semicolon in preambleCode
[#&#8203;485](https://redirect.github.com/vitejs/vite-plugin-react/pull/485)

This fixes an edge case when using HTML minifiers that strips line
breaks aggressively.

###
[`v3.10.0`](https://redirect.github.com/vitejs/vite-plugin-react/blob/HEAD/packages/plugin-react-swc/CHANGELOG.md#3100-2025-05-23)

[Compare
Source](https://redirect.github.com/vitejs/vite-plugin-react/compare/4a944487aabe4db16660f4196e1d6eed79edf0e0...dcadcfc2841c0bedfe44279c556835c350dfa5fa)

##### Add `filter` for rolldown-vite
[#&#8203;470](https://redirect.github.com/vitejs/vite-plugin-react/pull/470)

Added `filter` so that it is more performant when running this plugin
with rolldown-powered version of Vite.

##### Skip HMR preamble in Vitest browser mode
[#&#8203;478](https://redirect.github.com/vitejs/vite-plugin-react/pull/478)

This was causing annoying `Sourcemap for "/@&#8203;react-refresh" points
to missing source files` and is unnecessary in test mode.

##### Skip HMR for JSX files with hooks
[#&#8203;480](https://redirect.github.com/vitejs/vite-plugin-react/pull/480)

This removes the HMR warning for hooks with JSX.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 03:22:15 +00:00
DarkSky 8b68574820 fix: old workspace migration (#14403)
fix #14395 

#### PR Dependency Tree


* **PR #14403** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Added ability to enumerate and list local workspaces.
* Improved workspace ID persistence with Electron global-state storage,
automatic fallback to legacy storage, and one-time migration to
consolidate IDs.
* **Tests**
* Added unit test validating listing behavior (includes/excludes
workspaces based on presence of workspace DB file).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-09 00:22:37 +08:00
DarkSky 8ce620e2e6 chore: bump deps 2026-02-07 17:26:44 +08:00
DarkSky 31f6f209e3 chore: bump deps 2026-02-05 21:45:22 +08:00
DarkSky 403f16b404 chore: drop old client support (#14369) 2026-02-05 02:49:33 +08:00
renovate[bot] de29e8300a chore: bump up @types/uuid version to v11 (#14364)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| @&#8203;types/uuid | [`^10.0.0` →
`^11.0.0`](https://renovatebot.com/diffs/npm/@types%2fuuid/10.0.0/11.0.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fuuid/11.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fuuid/10.0.0/11.0.0?slim=true)
|

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 17:57:23 +00:00
renovate[bot] cce6122a63 chore: bump up @sentry/esbuild-plugin version to v4 (#14350)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@sentry/esbuild-plugin](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/tree/main/packages/esbuild-plugin)
([source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins))
| [`^3.0.0` →
`^4.0.0`](https://renovatebot.com/diffs/npm/@sentry%2fesbuild-plugin/3.6.1/4.8.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@sentry%2fesbuild-plugin/4.8.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@sentry%2fesbuild-plugin/3.6.1/4.8.0?slim=true)
|

---

### Release Notes

<details>
<summary>getsentry/sentry-javascript-bundler-plugins
(@&#8203;sentry/esbuild-plugin)</summary>

###
[`v4.8.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#480)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.7.0...4.8.0)

##### New Features 

- Inject component annotations into HTML elements rather than React
components by [@&#8203;timfish](https://redirect.github.com/timfish) in
[#&#8203;851](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/851)
- Combine injection snippets by
[@&#8203;timfish](https://redirect.github.com/timfish) in
[#&#8203;853](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/853)
- Use Rolldown native `MagicString` by
[@&#8203;timfish](https://redirect.github.com/timfish) in
[#&#8203;846](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/846)

###
[`v4.7.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#470)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.2...4.7.0)

- docs: Add RELEASE.md to document release process
([#&#8203;834](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/834))
- feat: Combine injection plugins
([#&#8203;844](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/844))
- fix(plugin-manager): Enable "rejectOnError" in debug
([#&#8203;837](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/837))
- fix(plugin-manager): Respect `sourcemap.ignore` values for injecting
debugIDs
([#&#8203;836](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/836))
- fix(vite): Skip HTML injection for MPA but keep it for SPA
([#&#8203;843](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/843))

<details>
  <summary> <strong>Internal Changes</strong> </summary>

- chore: Use pull\_request\_target for changelog preview
([#&#8203;842](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/842))
- ci(release): Switch from action-prepare-release to Craft
([#&#8203;831](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/831))
- test: Ensure Debug IDs match
([#&#8203;840](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/840))

</details>

###
[`v4.6.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#462)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.1...4.6.2)

- fix(vite): Ensure sentryVitePlugin always returns an array of plugins
([#&#8203;832](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/832))
- fix(vite): Skip code injection for HTML facade chunks
([#&#8203;830](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/830))
- fix(rollup): Prevent double-injection of debug ID
([#&#8203;827](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/827))
- fix(esbuild): fix debug ID injection when moduleMetadata or
applicationKey is set
([#&#8203;828](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/828))

###
[`v4.6.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#461)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.6.0...4.6.1)

- chore(deps): Update glob to 10.5.0
([#&#8203;823](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/823))

<details>
  <summary> <strong>Internal Changes</strong> </summary>

- chore(core): Log release output
([#&#8203;821](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/821))

</details>

###
[`v4.6.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#460)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.5.0...4.6.0)

- fix(core): Stop awaiting build start telemetry to avoid breaking
module federation builds
([#&#8203;818](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/818))
- feat(core): Bump
[@&#8203;sentry/cli](https://redirect.github.com/sentry/cli) from 2.51.0
to 2.57.0
([#&#8203;819](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/819))

###
[`v4.5.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#450)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.4.0...4.5.0)

- docs: added info on debug flag value precedence
([#&#8203;811](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/811))
- feat: add debug statements after sourcemap uploads
([#&#8203;812](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/812))
- feat(core): Allow multi-project sourcemaps upload
([#&#8203;813](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/813))
- fix: propagate the debug option to the cli
([#&#8203;810](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/810))

###
[`v4.4.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#440)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.3.0...4.4.0)

- feat(core): Explicitly allow `undefined` as value for `authToken`
option
([#&#8203;805](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/805))
- fix(core): Strip query strings from asset paths
([#&#8203;806](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/806))

Work in this release was contributed by
[@&#8203;aiktb](https://redirect.github.com/aiktb). Thank you for your
contribution!

###
[`v4.3.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#430)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.2.0...4.3.0)

- feat(core): Extend deploy option to allow opting out of automatic
deploy creation
([#&#8203;801](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/801))
- feat(core): No asset globbing for direct upload
([#&#8203;800](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/800))

###
[`v4.2.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#420)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.1...4.2.0)

- feat(core): Add `prepareArtifacts` option for uploading sourcemaps
([#&#8203;794](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/794))
- perf: use premove for build clean
([#&#8203;792](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/792))
- fix(core): Forward headers option to sentry-cli
([#&#8203;797](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/797))

Work in this release contributed by
[@&#8203;liAmirali](https://redirect.github.com/liAmirali). Thank you
for your contribution!

###
[`v4.1.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#411)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.1.0...4.1.1)

- fix(react-native): Enhance fragment detection for indirect references
([#&#8203;767](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/767))

###
[`v4.1.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#410)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.2...4.1.0)

- feat(deps): Bump
[@&#8203;sentry/cli](https://redirect.github.com/sentry/cli) to 2.51.0
[#&#8203;786](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/786)
- feat(core): Add flag for disabling sourcemaps upload
[#&#8203;785](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/785)
- fix(debugId): Add guards for injected code to avoid errors
[#&#8203;783](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/783)
- docs(options): Improve JSDoc for options
[#&#8203;781](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/781)
- feat(core): Expose method for injecting debug Ids from plugin manager
[#&#8203;784](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/784)

###
[`v4.0.2`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#402)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.1...4.0.2)

- fix(core): Make `moduleMetadata` injection snippet ES5-compliant
([#&#8203;774](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/774))

###
[`v4.0.1`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#401)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/4.0.0...4.0.1)

- fix(core): Make plugin inject ES5-friendly code
([#&#8203;770](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/770))
- fix(core): Use `renderChunk` for release injection for
Rollup/Rolldown/Vite
([#&#8203;761](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/761))

Work in this release was contributed by
[@&#8203;grushetsky](https://redirect.github.com/grushetsky). Thank you
for your contribution!

###
[`v4.0.0`](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/blob/HEAD/CHANGELOG.md#400)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/compare/3.6.1...4.0.0)

##### Breaking Changes

- (Type change) Vite plugin now returns `VitePlugin` type instead of
`any`
- Deprecated function `getBuildInformation` has been removed

##### List of Changes

- feat(core)!: Remove `getBuildInformation` export
([#&#8203;765](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/765))
- feat(vite)!: Update return type of vite plugin
([#&#8203;728](https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/728))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 01:40:58 +08:00
Akshaj Rawat b8f626513f feat: disable high power consumption without charger (#14281)
Co-authored-by: DarkSky <darksky2048@gmail.com>
2026-01-27 04:46:16 +08:00
DarkSky 27a58e764c chore: bump version & deps 2026-01-15 00:33:51 +08:00
DarkSky f42246aba1 fix: allow method for cors 2026-01-05 13:14:56 +08:00
DarkSky 41addfe311 fix: blob sync 2026-01-03 01:40:13 +08:00
DarkSky 99332228da feat: native sync state (#14190)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added indexed clock management capabilities for documents, enabling
get, set, and clear operations across Android, iOS, Electron, and web
platforms.

* **Refactor**
* Improved storage architecture to dynamically select platform-specific
implementations (SQLite for Electron, IndexedDB for others).

* **Bug Fixes**
* Enhanced document operations to properly maintain and clean up indexer
synchronization state during document lifecycle changes.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-12-31 04:09:32 +08:00
DarkSky 6514614df8 feat: bump electron (#14158) 2025-12-27 23:54:11 +08:00
DarkSky 702dbf7be4 fix: client indexing & outdated scheme (#14160)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Optimized storage handling with platform-specific
implementations—SQLite for Electron and IndexedDB for other environments
for improved performance.

* **Bug Fixes**
* Enhanced recording file access and retrieval functionality for better
reliability.
  * Strengthened local file protocol handling and security restrictions.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-12-27 17:56:42 +08:00
DarkSky 4eed92cebf feat: improve electron sandbox (#14156) 2025-12-27 03:23:28 +08:00
DarkSky 3fe8923fc3 fix: flatpak bundle (#14155) 2025-12-26 23:37:53 +08:00