mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-18 19:11:06 +00:00
3d95a2f0283a43048cbb0ac92f04e0dff5d5ece2
376 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Giteabot
|
aecb2585f0 |
fix(deps): update npm dependencies (#37753)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/view | [`6.42.0` → `6.42.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.0/6.42.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.59.1` → `1.60.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.59.1/1.60.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.6.0` → `25.7.0`](https://renovatebot.com/diffs/npm/@types%2fnode/25.6.0/25.7.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.2/8.59.3) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.16` → `1.6.17`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.16/1.6.17) |  |  | | [eslint-plugin-de-morgan](https://redirect.github.com/azat-io/eslint-plugin-de-morgan) | [`2.1.1` → `2.1.2`](https://renovatebot.com/diffs/npm/eslint-plugin-de-morgan/2.1.1/2.1.2) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.0.0` → `3.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.0.0/3.1.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.0.8` → `11.1.1`](https://renovatebot.com/diffs/npm/pnpm/11.0.8/11.1.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.4` → `3.0.5`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.4/3.0.5) |  |  | | [swagger-ui-dist](https://redirect.github.com/swagger-api/swagger-ui) | [`5.32.5` → `5.32.6`](https://renovatebot.com/diffs/npm/swagger-ui-dist/5.32.5/5.32.6) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.3) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.9` → `17.16.11`](https://renovatebot.com/diffs/npm/updates/17.16.9/17.16.11) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.10` → `8.0.12`](https://renovatebot.com/diffs/npm/vite/8.0.10/8.0.12) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.5` → `4.1.6`](https://renovatebot.com/diffs/npm/vitest/4.1.5/4.1.6) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.60.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.60.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.59.1...v1.60.0) #### 🌐 HAR recording on Tracing [tracing.startHar()](https://playwright.dev/docs/api/class-tracing#tracing-start-har) / [tracing.stopHar()](https://playwright.dev/docs/api/class-tracing#tracing-stop-har) expose HAR recording as a first-class tracing API, with the same `content`, `mode` and `urlFilter` options as `recordHar`. The returned [Disposable](https://playwright.dev/docs/api/class-disposable) makes it easy to scope a recording with `await using`: ```js await using har = await context.tracing.startHar('trace.har'); const page = await context.newPage(); await page.goto('https://playwright.dev'); // HAR is finalized when `har` goes out of scope. ``` #### 🪝 Drop API New [locator.drop()](https://playwright.dev/docs/api/class-locator#locator-drop) simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches `dragenter`, `dragover`, and `drop` with a synthetic \[DataTransfer] in the page context — works cross-browser and is great for testing upload zones: ```js await page.locator('#dropzone').drop({ files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') }, }); await page.locator('#dropzone').drop({ data: { 'text/plain': 'hello world', 'text/uri-list': 'https://example.com', }, }); ``` #### 🎯 Aria snapshots - [expect(page).toMatchAriaSnapshot()](https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-match-aria-snapshot) now works on a [Page](https://playwright.dev/docs/api/class-page), in addition to a [Locator](https://playwright.dev/docs/api/class-locator) — equivalent to asserting against `page.locator('body')`. - New `boxes` option on [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) / [page.ariaSnapshot()](https://playwright.dev/docs/api/class-page#page-aria-snapshot) appends each element's bounding box as `[box=x,y,width,height]`, useful for AI consumption. #### 🛑 test.abort() New [test.abort()](https://playwright.dev/docs/api/class-test#test-abort) aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away: ```js test('does not publish to the shared page', async ({ page }) => { await page.route('**/publish', route => { test.abort('Tests must not publish to the shared page. Use the `clone` option.'); return route.abort(); }); // ... }); ``` #### New APIs ##### Browser, Context and Page - Event [browser.on('context')](https://playwright.dev/docs/api/class-browser#browser-event-context) — fired when a new context is created on the browser. - [BrowserContext](https://playwright.dev/docs/api/class-browsercontext) now mirrors lifecycle events from its pages: [browserContext.on('download')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-download), [browserContext.on('frameattached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-attached), [browserContext.on('framedetached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-detached), [browserContext.on('framenavigated')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-navigated), [browserContext.on('pageclose')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-close), [browserContext.on('pageload')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-load). ##### Locators and Assertions - New option `description` in [page.getByRole()](https://playwright.dev/docs/api/class-page#page-get-by-role) / [locator.getByRole()](https://playwright.dev/docs/api/class-locator#locator-get-by-role) / [frame.getByRole()](https://playwright.dev/docs/api/class-frame#frame-get-by-role) / [frameLocator.getByRole()](https://playwright.dev/docs/api/class-framelocator#frame-locator-get-by-role) for matching the [accessible description](https://www.w3.org/TR/wai-aria-1.2/#dfn-accessible-description). - New option `pseudo` in [expect(locator).toHaveCSS()](https://playwright.dev/docs/api/class-locatorassertions#locator-assertions-to-have-css) reads computed styles from `::before` or `::after`. - New option `style` in [locator.highlight()](https://playwright.dev/docs/api/class-locator#locator-highlight) applies extra inline CSS to the highlight overlay, plus new [page.hideHighlight()](https://playwright.dev/docs/api/class-page#page-hide-highlight) to clear all highlights. ##### Network - [webSocketRoute.protocols()](https://playwright.dev/docs/api/class-websocketroute#web-socket-route-protocols) returns the WebSocket subprotocols requested by the page. - New option `noDefaults` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state. ##### Errors and Reporting - New [webError.location()](https://playwright.dev/docs/api/class-weberror#web-error-location) mirrors [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location). - [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location) now exposes `line` / `column` properties (`lineNumber` / `columnNumber` are deprecated). - New [testInfoError.errorContext](https://playwright.dev/docs/api/class-testinfoerror#test-info-error-error-context) surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an `expect(...)` matcher failure. - [reporter.onError()](https://playwright.dev/docs/api/class-reporter#reporter-on-error) now receives a `workerInfo` argument with details about the worker for fixture teardown errors. ##### Test runner - New `{testFileBaseName}` token in [testProject.snapshotPathTemplate](https://playwright.dev/docs/api/class-testproject#test-project-snapshot-path-template) — file name without extension. - Test runner now errors when a config tries to override a non-option fixture, and rejects `workers: 0` or negative values. #### 🛠️ Other improvements - HTML reporter: - `npx playwright show-report` accepts `.zip` files directly — no need to unzip first. - Steps that contain attachments inside nested children show an indicator on the parent step. - The `repeatEachIndex` is shown in the test header when non-zero. - Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel. #### Breaking Changes ⚠️ - Removed long-deprecated APIs: - `Locator.ariaRef()` — use the standard [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) pipeline. - `handle` option on `BrowserContext.exposeBinding` and `Page.exposeBinding`. - `logger` option on `BrowserType.connect` and `BrowserType.connectOverCDP` — use [tracing](https://playwright.dev/docs/trace-viewer) instead. - Context options `videosPath` / `videoSize` — use `recordVideo` instead. #### Browser Versions - Chromium 148.0.7778.96 - Mozilla Firefox 150.0.2 - WebKit 26.4 This version was also tested against the following stable channels: - Google Chrome 147 - Microsoft Edge 147 </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)</summary> ### [`v1.6.17`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.17) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) ##### 🐞 Bug Fixes - Recommend `toBeTypeOf` instead of `expectTypeOf` in `prefer-expect-type-of` - by [@​sheremet-va](https://redirect.github.com/sheremet-va) in [#​896](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/896) [<samp>(a4bcd)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/a4bcdf5) - **no-standalone-expect**: Allow expect inside vi.defineHelper callbacks - by [@​nami8824](https://redirect.github.com/nami8824) in [#​894](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/894) [<samp>(fd8eb)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/fd8eb3c) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) </details> <details> <summary>azat-io/eslint-plugin-de-morgan (eslint-plugin-de-morgan)</summary> ### [`v2.1.2`](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/blob/HEAD/changelog.md#v212) [Compare Source](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) [compare changes](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) ##### 🐞 Bug Fixes - Avoid invalid autofixes for grouped boolean expressions ([1173aaa](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/commit/1173aaa)) ##### ❤️ Contributors - Azat S. ([@​azat-io](https://redirect.github.com/azat-io)) </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.0`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#310) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.0.0...v3.1.0) ##### Minor Changes - refactor: replace lodash with es-toolkit and vanilla js ([#​492](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/492)) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1111) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.0...v11.1.1) ##### Patch Changes - Skip installability validation when scanning workspace projects in `checkDepsStatus` (run by `verifyDepsBeforeRun`). Previously the status check called `findWorkspaceProjects`, which validates each project's `engines` and `os`/`cpu`/`libc` and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no `nodeVersion` threaded through, the engine check also fell back to the system Node from `PATH` and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use `findWorkspaceProjectsNoCheck`; install paths continue to validate. - Fixed `pnpm add <alias>:@​scope/pkg` for [named registries](https://redirect.github.com/pnpm/pnpm/pull/11324). The local resolver was claiming any specifier containing `/` as a local directory, so `pnpm add bit:@​teambit/bit` (with `bit` configured under `namedRegistries`) installed a bogus link to `bit:@​teambit/bit/` instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain. - Updated `@zkochan/cmd-shim` to 9.0.3. The sh shim it writes for `.cmd` / `.bat` targets now escapes the `/C` switch as `//C`, so it survives the path translation Git Bash applies when launching `cmd.exe`. Without this, a bare `/C` was rewritten to `C:\` before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See [pnpm/cmd-shim#55](https://redirect.github.com/pnpm/cmd-shim/pull/55). ### [`v11.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1110) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.9...v11.1.0) ##### Minor Changes - Added `pnpm audit signatures` to verify ECDSA registry signatures for installed packages against keys from `/-/npm/v1/keys` [#​7909](https://redirect.github.com/pnpm/pnpm/issues/7909). Scoped registries are respected, and registries without signing keys are skipped. - Added support for installing packages from the [GitHub Packages npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) via a built-in `gh:` prefix (e.g. `pnpm add gh:@​acme/private`), and, more broadly, for arbitrary named registries in the style of [vlt's named-registry aliases](https://docs.vlt.sh/cli/registries). Authentication is picked up from the existing per-URL `.npmrc` entries (e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth mechanism is required. Additional aliases — or an override for the built-in `gh` alias, for GitHub Enterprise Server — can be configured under `namedRegistries` in `pnpm-workspace.yaml`: ```yaml namedRegistries: gh: https://npm.pkg.github.example.com/ work: https://npm.work.example.com/ ``` With this, `work:@​corp/lib@^2.0.0` resolves against `https://npm.work.example.com/`. [#​11324](https://redirect.github.com/pnpm/pnpm/issues/11324). - Allow setting sbom spec version using `--sbom-spec-version` [#​11389](https://redirect.github.com/pnpm/pnpm/pull/11389). - Add `--no-runtime` flag (config: `runtime=false`) to skip installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and `.bin` linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via `pnpm runtime -g set node <version>`) before `pnpm install` runs. - Added the `pnpm bugs` command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's `package.json`; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to `<repository>/issues` when the `bugs` field is missing [#​11279](https://redirect.github.com/pnpm/pnpm/pull/11279). - Added `pnpm owner` command to manage package owners on the registry. ##### Patch Changes - Added "published X ago by Y" information to the `pnpm view` command output, similar to `npm view`. This is useful when comparing against `minimumReleaseAge`. For example, `pnpm view pnpm` now shows: ``` published 17 hours ago by GitHub Actions ``` - `pnpm publish` now honors the configured HTTP/HTTPS proxy (including `https_proxy`/`http_proxy`/`no_proxy` environment variables) when polling the registry's `doneUrl` during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond `403` from a different source IP and the login to never complete [#​11561](https://redirect.github.com/pnpm/pnpm/issues/11561). - `pnpm add -g` now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example: - `pnpm add -g foo bar` installs `foo` and `bar` as two independent globals — removing one does not affect the other. - `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single isolated install while `qar` is installed on its own. Related: [#​11587](https://redirect.github.com/pnpm/pnpm/issues/11587). - `pnpm runtime set <name> <version>` no longer fails in the root of a multi-package workspace with the `ADDING_TO_ROOT` error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check. - Fix `pnpm --version` hanging for the lifetime of the worker pool after the version was printed. `main.ts`'s `--version` short-circuit returned before reaching the command-handler `finally` that calls `finishWorkers()`, so the worker pool that `switchCliVersion` had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs `finishWorkers()` from its own `finally`, so every exit path tears the pool down. Repro: `pnpm --version` in a workspace whose `devEngines.packageManager` version already matches the running pnpm + `onFail: "download"`. `switchCliVersion` resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs. ### [`v11.0.9`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1109) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.8...v11.0.9) ##### Patch Changes - Fixed installation of GitLab-hosted dependencies. pnpm now downloads the tarball from `https://gitlab.com/<user>/<project>/-/archive/<sha>/<project>-<sha>.tar.gz` instead of the GitLab API endpoint that contained an encoded slash (`%2F`) between user and project. The encoded slash both triggered `406 Not Acceptable` responses from GitLab and produced virtual store directory names that Node refused to import (`ERR_INVALID_MODULE_SPECIFIER`) [#​11533](https://redirect.github.com/pnpm/pnpm/issues/11533). - Honor `NPM_CONFIG_USERCONFIG` (and its lowercase `npm_config_userconfig` form) as a low-priority fallback when locating the user-level `.npmrc`. This restores compatibility with environments that point npm at a custom auth file via that env var — most notably `actions/setup-node`, which writes registry credentials to `${runner.temp}/.npmrc` and exports `NPM_CONFIG_USERCONFIG` to reference it. Without this, GitHub Actions workflows using `actions/setup-node` to authenticate to private registries broke after upgrading to pnpm v11. PNPM-prefixed env vars and `npmrcAuthFile` from the global `config.yaml` continue to take precedence [#​11539](https://redirect.github.com/pnpm/pnpm/issues/11539). - Fix `pnpm pack` not bundling dependencies listed in `bundleDependencies` (or `bundledDependencies`). The npm-packlist upgrade in pnpm 11 changed its API to require the caller to pre-populate the dependency tree, which the wrapper was not doing — `bundleDependencies` were silently dropped from the tarball [#​11519](https://redirect.github.com/pnpm/pnpm/issues/11519). - Fixed the pnpm CLI crashing with a confusing `SyntaxError: Invalid regular expression flags` instead of printing a clear "requires Node.js v22.13" error when launched on an unsupported Node.js version. The Node.js version check in `bin/pnpm.mjs` was effectively dead code because the static `import` of the bundled `dist/pnpm.mjs` was hoisted by the ES module loader and parsed before the check could run [#​11546](https://redirect.github.com/pnpm/pnpm/issues/11546). - Fixed `pnpm --prefix=<dir> install` overwriting the existing `pnpm-workspace.yaml` in `<dir>` with `set this to true or false` placeholders. The renamed `--prefix` option (which maps to `dir`) was not honored when locating the workspace root, so the workspace manifest's `allowBuilds` settings were not loaded into config and got clobbered when ignored builds were auto-populated [#​11535](https://redirect.github.com/pnpm/pnpm/issues/11535). - Fixed `pnpm publish --provenance` failing with a 422 from the registry when the package version contained semver build metadata (e.g. `1.0.0-canary.0+abc1234`). The `+<build>` segment is now stripped before packing so that the version embedded in the tarball, the metadata sent to the registry, and the sigstore provenance subject all agree [#​11518](https://redirect.github.com/pnpm/pnpm/issues/11518). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.5`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.5) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.4...3.0.5) - update deps, bump rolldown to 1.0.0 (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) </details> <details> <summary>swagger-api/swagger-ui (swagger-ui-dist)</summary> ### [`v5.32.6`](https://redirect.github.com/swagger-api/swagger-ui/releases/tag/v5.32.6) [Compare Source](https://redirect.github.com/swagger-api/swagger-ui/compare/v5.32.5...v5.32.6) ##### Bug Fixes - **deps-dev:** address undici vulnerability ([#​10870](https://redirect.github.com/swagger-api/swagger-ui/issues/10870)) ([35f5a6a]( |
||
|
Giteabot
|
6a27066269 |
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f]( |
||
|
Giteabot
|
8cd8291ed0 |
fix(deps): update npm dependencies (#37647)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.1` → `6.20.2`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.1/6.20.2) |  |  | | @​codemirror/lint | [`6.9.5` → `6.9.6`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.5/6.9.6) |  |  | | @​codemirror/view | [`6.41.1` → `6.42.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.41.1/6.42.0) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.33` → `3.5.34`](https://renovatebot.com/diffs/npm/vue/3.5.33/3.5.34) |  |  | --- ### Release Notes <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.34`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3534-2026-05-06) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.33...v3.5.34) ##### Bug Fixes - **compiler-sfc:** infer Vue ref wrapper types when source is unresolvable ([#​14758](https://redirect.github.com/vuejs/core/issues/14758)) ([7f46fd4]( |
||
|
Giteabot
|
a603f89fce |
fix(deps): update npm dependencies (#37636)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.1/8.59.2)
|
|
|
| [eslint-plugin-vue](https://eslint.vuejs.org)
([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) |
[`10.9.0` →
`10.9.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.0/10.9.1)
|
|
|
| [jiti](https://redirect.github.com/unjs/jiti) | [`2.6.1` →
`2.7.0`](https://renovatebot.com/diffs/npm/jiti/2.6.1/2.7.0) |
|
|
| [postcss](https://postcss.org/)
([source](https://redirect.github.com/postcss/postcss)) | [`8.5.13` →
`8.5.14`](https://renovatebot.com/diffs/npm/postcss/8.5.13/8.5.14) |
|
|
| [stylelint](https://stylelint.io)
([source](https://redirect.github.com/stylelint/stylelint)) | [`17.10.0`
→
`17.11.0`](https://renovatebot.com/diffs/npm/stylelint/17.10.0/17.11.0)
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.1/8.59.2)
|
|
|
| [updates](https://redirect.github.com/silverwind/updates) | [`17.16.8`
→ `17.16.9`](https://renovatebot.com/diffs/npm/updates/17.16.8/17.16.9)
|
|
|
---
### Release Notes
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8592-2026-05-04)
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2)
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2)
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning) and
[releases](https://typescript-eslint.io/users/releases) on our website.
</details>
<details>
<summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary>
###
[`v10.9.1`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1091)
[Compare
Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.0...v10.9.1)
##### Patch Changes
- Updated peer dependency version for
[`vue-eslint-parser`](https://redirect.github.com/vuejs/vue-eslint-parser)
to fix parsing errors in Vue SFCs
([#​3075](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3075))
</details>
<details>
<summary>unjs/jiti (jiti)</summary>
###
[`v2.7.0`](https://redirect.github.com/unjs/jiti/blob/HEAD/CHANGELOG.md#v270)
[Compare
Source](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
[compare
changes](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
##### 🚀 Enhancements
- Add explicit resource management (using/await using) support
([#​422](https://redirect.github.com/unjs/jiti/pull/422))
- Support opt-in `tsconfigPaths`
([#​427](https://redirect.github.com/unjs/jiti/pull/427))
- Support virtual modules option
([#​428](https://redirect.github.com/unjs/jiti/pull/428))
- Add `jiti/static` export
([#​430](https://redirect.github.com/unjs/jiti/pull/430))
##### 🔥 Performance
- **interopDefault:** Add caching to reduce proxy overhead by \~2x
([#​421](https://redirect.github.com/unjs/jiti/pull/421))
##### 🩹 Fixes
- **require:** Passthrough resolve options
([#​412](https://redirect.github.com/unjs/jiti/pull/412))
- **ci:** Skip `--coverage` flag for node 18
([fe264b4](https://redirect.github.com/unjs/jiti/commit/fe264b4))
- **require:** Fallback to transpilation when `tryNative` fails
([#​413](https://redirect.github.com/unjs/jiti/pull/413))
- Fallback for `ENAMETOOLONG` when evaluating esm
([#​429](https://redirect.github.com/unjs/jiti/pull/429))
##### 📦 Build
- Upgrade rspack
([55194fb](https://redirect.github.com/unjs/jiti/commit/55194fb))
- Experimental rolldown config
([8c0243f](https://redirect.github.com/unjs/jiti/commit/8c0243f))
##### 🏡 Chore
- Fix lint issues
([4045c7a](https://redirect.github.com/unjs/jiti/commit/4045c7a))
- Update deps
([e88ac44](https://redirect.github.com/unjs/jiti/commit/e88ac44))
- Update deps
([498e8d7](https://redirect.github.com/unjs/jiti/commit/498e8d7))
- Add missing prettier dep
([650bc48](https://redirect.github.com/unjs/jiti/commit/650bc48))
- Lint ([058d91a](https://redirect.github.com/unjs/jiti/commit/058d91a))
- Init agents.md
([c49c54e](https://redirect.github.com/unjs/jiti/commit/c49c54e))
- Update agents.md
([4deba16](https://redirect.github.com/unjs/jiti/commit/4deba16))
- Update deps
([
|
||
|
silverwind
|
b4085c7e3c |
build: update pnpm to v11 (#37591)
Update to https://github.com/pnpm/pnpm/releases/tag/v11.0.0 - move all pnpm settings to `pnpm-workspace.yaml`, pnpm v11 only reads that file - drop redundant or no-op settings - disable `strictDepBuilds` to avoid having to manually specify deps with build scripts, this is equivalent to v10 where it will not execute and warn. - add workarounds for https://github.com/SukkaW/nolyfill/issues/119 - remove dead eslintrc entry --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
Sebastian Ertz
|
89a49de0fd |
Update go js py dependencies (#37525)
| go | from | to | | --- | --- | --- | | connectrpc.com/connect | `1.19.1 ` | `1.19.2` | | github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` | | github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` | `1.33.14` | | github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` | | github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` | | github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` | | github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` | | github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` | | github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` | | github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` | | github.com/klauspost/compress | `1.18.5` | `1.18.6` | | github.com/mattn/go-isatty | `0.0.21` | `0.0.22` | | github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` | | github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` | | github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` | | google.golang.org/grpc | `1.80.0` | `1.81.0` | | gopkg.in/ini.v1 | `1.67.1` | `1.67.2` | | js | from | to | | --- | --- | --- | | @codemirror/search | `6.6.0` | `6.7.0` | | @primer/octicons | `19.24.1` | `19.25.0` | | clippie | `4.1.14` | `4.1.15` | | easymde | `2.20.0` | `2.21.0` | | postcss | `8.5.10` | `8.5.13` | | rolldown-license-plugin | `3.0.1` | `3.0.4` | | swagger-ui-dist | `5.32.4` | `5.32.5` | | vite | `8.0.9` | `8.0.10` | | vite-string-plugin | `2.0.2` | `2.0.4` | | vue | `3.5.32` | `3.5.33` | | @typescript-eslint/parser | `8.59.0` | `8.59.1` | | eslint | `10.2.1` | `10.3.0` | | eslint-plugin-vue | `10.8.0` | `10.9.0` | | globals | `17.5.0` | `17.6.0` | | material-icon-theme | `5.33.1` | `5.34.0` | | spectral-cli-bundle | `1.0.7` | `1.0.8` | | stylelint | `17.8.0` | `17.10.0` | | typescript-eslint | `8.59.0` | `8.59.1` | | updates | `17.16.3` | `17.16.8` | | vitest | `4.1.4` | `4.1.5` | | vue-tsc | `3.2.7` | `3.2.8` | | pnpm | `10.33.0` | `10.33.2` | | py | from | to | | --- | --- | --- | | click | `8.3.2` | `8.3.3` | | pathspec | `1.0.4` | `1.1.1` | --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
rootful
|
3d838ef96a |
Fix mCaptcha broken after Vite migration (#37492)
After the Webpack-to-Vite migration (#37002), mCaptcha stopped working entirely on the registration page, throwing an error: `TypeError: setting getter-only property "INPUT_NAME"` This fix stops trying to mutate the read-only INPUT_NAME export. Instead it probes for the Widget constructor at module.default (direct) or module.default.default (CJS-wrapped), constructs the widget, and then renames the hidden input element it creates to m-captcha-response which is the field name Gitea's backend reads from the submitted form. Generative AI was used to help with making this PR. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
silverwind
|
99cd4f6b22 |
Integrate renovate bot for all dependency updates (#37050)
Replaces Dependabot with Renovate. The new setup: - One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's `vulnerabilityAlerts` schedule bypass. - All `uses:` action refs SHA-pinned with patch-level version comments (same format as #36971, which this supersedes); `helpers:pinGitHubActionDigests` keeps future bumps in that format. - `renovatebot/github-action` runtime image pinned via the upstream-recommended `RENOVATE_VERSION` env + magic comment + `customManagers:githubActionsVersions` preset, so Renovate keeps the pin updated. - Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>` lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via `matchDatasources: ["go"]`. - Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`) and the SVG sprite (`make svg`), gated by an env-level command allowlist. - Replaces the standalone `cron-flake-updater` workflow — Renovate's nix manager tracks `flake.nix` inputs and produces the same `flake.lock` bump PRs on the regular weekly schedule. - npm and gomod-replace pins live in `renovate.json5` only; `updates@17.16.3` reads them from there too, so the standalone `updates.config.ts` is gone and one source of truth covers both tools. Fixes: https://github.com/go-gitea/gitea/issues/33386 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Sebastian Ertz
|
3f3bebda0d |
Update go js dependencies (#37312)
| go | from | to | | --- | --- | --- | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.14` | `1.19.15` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.12` | `1.33.13` | | github.com/dlclark/regexp2 | `1.11.5` | `1.12.0` | | github.com/go-co-op/gocron/v2 | `2.20.0` | `2.21.0` | | github.com/go-webauthn/webauthn | `0.16.4` | `0.16.5` | | js | from | to | | --- | --- | --- | | @codemirror/view | `6.41.0` | `6.41.1` | | @primer/octicons | `19.24.0` | `19.24.1` | | clippie | `4.1.10` | `4.1.14` | | postcss | `8.5.9` | `8.5.10` | | rolldown-license-plugin | `2.2.5` | `3.0.1` | | swagger-ui-dist | `5.32.2` | `5.32.4` | | vite | `8.0.8` | `8.0.9` | | @typescript-eslint/parser | `8.58.2` | `8.59.0` | | @vitest/eslint-plugin | `1.6.15` | `1.6.16` | | eslint | `10.2.0` | `10.2.1` | | eslint-plugin-playwright | `2.10.1` | `2.10.2` | | eslint-plugin-sonarjs | `4.0.2` | `4.0.3` | | happy-dom | `20.8.9` | `20.9.0` | | stylelint | `17.7.0` | `17.8.0` | | typescript | `6.0.2` | `6.0.3` | | typescript-eslint | `8.58.2` | `8.59.0` | | updates | `17.15.3` | `17.15.5` | | vue-tsc | `3.2.6` | `3.2.7` | Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <silv3rwind@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
1d25bb22f4 |
Move heatmap to first-party code (#37262)
Replaces `@silverwind/vue3-calendar-heatmap` with an inlined SVG implementation. Renders pixel-identically to `main`, drops the `onMounted` legend viewBox workaround, and uses tippy's `createSingleton` for the hover tooltip. Adds an e2e test for tooltip display. This is a prereq for migrating tippy.js to [floating-ui](https://github.com/floating-ui/floating-ui) to avoid having two tooltip libs active. <img width="861" height="168" alt="image" src="https://github.com/user-attachments/assets/99343cf6-6e09-42c7-a80d-63dbf33cf56a" /> --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
PineBale
|
2bfaa33347 |
Replace dropzone with @deltablot/dropzone (#37237)
Fix #37228. Using NicolasCARPi/dropzone as short-term solution |
||
|
wxiaoguang
|
2644bb8490 |
Remove htmx (#37224)
Close #35059 Slightly improved the "fetch action" framework and started adding tests for it. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Sebastian Ertz
|
b55528b1a2 |
Update go js py dependencies (#37204)
| go | from | to | | --- | --- | --- | | github.com/go-webauthn/webauthn | `0.16.3` | `0.16.4` | | github.com/meilisearch/meilisearch-go | `0.36.1` | `0.36.2` | | golang.org/x/crypto | `0.49.0` | `0.50.0` | | golang.org/x/image | `0.38.0` | `0.39.0` | | golang.org/x/net | `0.52.0` | `0.53.0` | | golang.org/x/text | `0.35.0` | `0.36.0` | | js | from | to | | --- | --- | --- | | @primer/octicons | `19.23.1` | `19.24.0` | | @vitejs/plugin-vue | `6.0.5` | `6.0.6` | | rolldown-license-plugin | `2.2.0` | `2.2.5` | | vite | `8.0.7` | `8.0.8` | | @types/node | `25.5.2` | `25.6.0` | | @typescript-eslint/parser | `8.58.1` | `8.58.2` | | @vitest/eslint-plugin | `1.6.14` | `1.6.15` | | globals | `17.4.0` | `17.5.0` | | stylelint | `17.6.0` | `17.7.0` | | typescript-eslint | `8.58.1` | `8.58.2` | | updates | `17.13.5` | `17.15.3` | | vitest | `4.1.3` | `4.1.4` | | py | from | to | | --- | --- | --- | | click | `8.3.1` | `8.3.2` | | json5 | `0.13.0` | `0.14.0` | | regex | `2026.2.19` | `2026.4.4` | | tomli | `2.4.0` | `2.4.1` | |
||
|
silverwind
|
04fb6f1c0b |
Replace rollup-plugin-license with rolldown-license-plugin (#37130)
Replace `rollup-plugin-license` and `wrap-ansi` with [`rolldown-license-plugin`](https://github.com/silverwind/rolldown-license-plugin), a zero-dependency plugin with async parallel I/O and built-in word wrapping. - Removes `rollup-plugin-license` (pulls in `lodash`, `moment`) and `wrap-ansi` from the dependency tree - License build time reduced by ~40% (370ms vs 640ms) - Added e2e test for `licenses.txt` Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
Sebastian Ertz
|
714f4207d9 |
Update javascript dependencies (#37142)
--- | | from | to | | --- | ---- | --- | | esbuild | `0.27.4` | `0.28.0` | | katex | `0.16.44` | `0.16.45` | | postcss | `8.5.8` | `8.5.9` | | swagger-ui-dist | `5.32.1` | `5.32.2` | | vite | `8.0.5` | `8.0.7` | | vue | `3.5.31` | `3.5.32` | |
||
|
Lunny Xiao
|
290edc1614 | upgrade vite (#37126) | ||
|
silverwind
|
3a9cab034b |
Update JS dependencies and misc tweaks (#37064)
- Update all JS deps - Regenerate SVGs - Add new eslint rules from unicorn - Update typescript config for 6.0, remove deprecated options in favor of `strict` with disablements, remove implicit dom libs. - Set vite log level during `watch-frontend` to `warn` to avoid confusing URLs or HMR spam from the dev server to keep the log concise. Overridable via `FRONTEND_DEV_LOG_LEVEL`. Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
silverwind
|
e2e8509239 |
Replace Monaco with CodeMirror (#36764)
- Replace monaco-editor with CodeMirror 6 - Add `--color-syntax-*` CSS variables for all syntax token types, shared by CodeMirror, Chroma and EasyMDE - Consolidate chroma CSS into a single theme-independent file (`modules/chroma.css`) - Syntax colors in the code editor now match the code view and light/dark themes - Code editor is now 12px instead of 14px font size to match code view and GitHub - Use a global style for kbd elements - When editing existing files, focus will be on codemirror instead of filename input. - Keyboard shortcuts are roughtly the same as VSCode - Add a "Find" button, useful for mobile - Add context menu similar to Monaco - Add a command palette (Ctrl/Cmd+Shift+P or F1) or via button - Add clickable URLs via Ctrl/Cmd+click - Add e2e test for the code editor - Remove `window.codeEditors` global - The main missing Monaco features are hover types and semantic rename but these were not fully working because monaco operated only on single files and only for JS/TS/HTML/CSS/JSON. | | Monaco (main) | CodeMirror (cm) | Delta | |---|---|---|---| | **Build time** | 7.8s | 5.3s | **-32%** | | **JS output** | 25 MB | 14 MB | **-44%** | | **CSS output** | 1.2 MB | 1012 KB | **-17%** | | **Total (no maps)** | 23.3 MB | 12.1 MB | **-48%** | Fixes: #36311 Fixes: #14776 Fixes: #12171 <img width="1333" height="555" alt="image" src="https://github.com/user-attachments/assets/f0fe3a28-1ed9-4f22-bf25-2b161501d7ce" /> --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
e15219d810 |
Raise minimum Node.js version to 22.18.0 (#37058)
Remove the experimental strip types check and `NODE_VARS` mechanism from the Makefile, as Node.js 22.18.0+ has native TypeScript type stripping support. https://nodejs.org/en/blog/release/v22.18.0 was released 8 months ago and has now trickled into all major Linux distros like Alpine 3.23+. --- This PR was written with the help of Claude Opus 4.6 Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
silverwind
|
0ec66b5380 |
Migrate from webpack to vite (#37002)
Replace webpack with Vite 8 as the frontend bundler. Frontend build is around 3-4 times faster than before. Will work on all platforms including riscv64 (via wasm). `iife.js` is a classic render-blocking script in `<head>` (handles web components/early DOM setup). `index.js` is loaded as a `type="module"` script in the footer. All other JS chunks are also module scripts (supported in all browsers since 2018). Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and resolved at runtime via the Vite manifest, eliminating the `?v=` cache busting (which was unreliable in some scenarios like vscode dev build). Replaces: https://github.com/go-gitea/gitea/pull/36896 Fixes: https://github.com/go-gitea/gitea/issues/17793 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
b3c6917463 |
Update JS dependencies (#37001)
- Update all JS dependencies via `make update-js` - `webpack-cli` 6 to 7: remove `--disable-interpret` from Makefile - Fix lint: remove unnecessary type args, `toThrowError` to `toThrow` - Fix duplicate CSS selector detected by `stylelint` 17.6.0 - Change `updates.config.ts` to use `pin`, needed for `tailwindcss` - Pin `typescript` pending typescript-eslint/typescript-eslint#12123 --------- Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
silverwind
|
ae0bc0222a |
Update to eslint 10 (#36925)
- Enable a few more rules, fix issues. The 2 `value` issues are false-positives. - Add exact types for `window.pageData` and `window.notificationSettings`. - peerDependencyRules for eslint-plugin-github unrestricted, the plugin works in v10, but does not declare compatibility, pending https://github.com/github/eslint-plugin-github/issues/680. - Added [eslint-plugin-de-morgan](https://github.com/azat-io/eslint-plugin-de-morgan), no violations. --------- Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
28e09ffc67 |
Vendor relative-time-element as local web component (#36853)
Replace the `@github/relative-time-element` npm dependency with a vendored, simplified implementation. - Support 24h format rendering [PR 329](https://github.com/github/relative-time-element/pull/329) - Enable `::selection` styling in Firefox [PR 341](https://github.com/github/relative-time-element/pull/341) - Remove timezone from tooltips (It's always local timezone) - Clean up previous `title` workaround in tippy - Remove unused features - Use native `Intl.DurationFormat` with fallback for older browsers, remove dead polyfill - Add MIT license header to vendored file - Add unit tests - Add dedicated devtest page for all component variants --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude claude-opus-4-6 20250630 <noreply@anthropic.com> |
||
|
silverwind
|
6e7bc1e635 |
Update JS deps (#36850)
Gets rid of all open vulns except https://github.com/microsoft/monaco-editor/issues/5248. Cursorly tested, works. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Lunny Xiao
|
9c2c9c5a00 | upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36837) | ||
|
Théo LUDWIG
|
9fe5b70e3e |
build(deps): update material-icon-theme v5.32.0 (#36832)
Updated https://github.com/material-extensions/vscode-material-icon-theme to v5.32.0 and ran `make svg && git add --all` |
||
|
silverwind
|
fed2d81e88 |
Update JS and PY deps (#36708)
`colord` reordered in package.json, otherwise just maintenance updates. |
||
|
silverwind
|
91dc737a35 |
Replace tinycolor2 with colord (#36673)
[`colord`](https://github.com/omgovich/colord) is significantly smaller than [`tinycolor2`](https://github.com/bgrins/TinyColor) (~4KB vs ~29KB minified) and ships its own TypeScript types, removing the need for `@types/tinycolor2`. Behaviour is exactly the same for our use cases. By using `.alpha(1)` we force the function to always output 6-digit hex format (it would output 8-digit for non-opaque colors). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|
silverwind
|
5e9b9b33d1 |
Clean up Makefile, tests and legacy code (#36638)
This simplifies the Makefile by removing the whole-file wrapping that creates a tempdir introduced by https://github.com/go-gitea/gitea/pull/11126. REPO_TEST_DIR is removed as well. Also clean up a lot of legacy code: unnecessary XSS test, incorrect test env init, unused "_old_uid" hack, etc Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
ddacefa5d6 |
Update JS deps (#36656)
Fixes a [security issue in mermaid](https://github.com/mermaid-js/mermaid/issues/7345), tested mermaid and asciinema. |
||
|
silverwind
|
2d70d37bff |
Update JS and PY deps (#36576)
eslint v10 is excluded from updates because the plugins are not compatible yet. |
||
|
silverwind
|
49e6d5f6d6 |
Add elk layout support to mermaid (#36486)
Fixes: https://github.com/go-gitea/gitea/issues/34769 This allows the user to opt-in to using `elk` layouts using either YAML frontmatter or `%%{ init` directives inside the markup code block. The default layout is not changed. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
7292ae1ed5 |
Update JS deps, remove knip, misc tweaks (#36499)
- Update all JS deps - Enable a few more stylelint stylistic rules and fix issues - Remove knip, it raised another false-positive, this tool is not worth it when you have to babysit it like that - Exclude @eslint/json from updating as it requires unreleased eslint 10 ([ref](https://github.com/eslint/json/issues/207)) - Update labeler config for new eslint filenames - Adjust `make help` output - Add type checking in `stylelint.config.ts` |
||
|
wxiaoguang
|
4c8f6dfa4e |
Support rendering OpenAPI spec (#36449)
Fix #20852 |
||
|
silverwind
|
12a81d38c1 |
Add knip linter (#36442)
This adds [knip](https://github.com/webpro-nl/knip), a tool to find unused files, dependencies and exports in JS. Fixed all discovered issues. 1. knip apparently has some issue resolving imports from `d.ts` to `.ts` so I worked around it by moving the two affected types to where they are used. 2. I don't know why `modules/fomantic/dropdown.ts` had a new typescript error, but I fixed it. 3. Use named export for `EsbuildPlugin`, I think this was added recently. |
||
|
silverwind
|
5925433fe6 |
Update JS dependencies, adjust webpack config, misc fixes (#36431)
1. Upgrade to [jQuery
4.0](https://blog.jquery.com/2026/01/17/jquery-4-0-0/). Two of the
removed APIs are in use by fomantic, but there are [polyfills
present](
|
||
|
Bart van der Braak
|
2f377e8552 | Update material-icon-theme to v5.31.0 (#36427) | ||
|
silverwind
|
49edbbbc2e |
Update JS and PY deps (#36383)
- Update JS and PY dependencies - Workaround https://github.com/stylelint/stylelint/issues/8893 by moving the stylint config file to JS - Regenerate SVGs - Bump to python 3.14 in devcontainer and actions - Verified `@github/text-expander-element` - Removed obsolete type stub |
||
|
silverwind
|
2859b0602a |
Update JS deps (#36354)
- Update all JS deps - Regenerate SVGs - Enable new lint rules and fix issues - Tested affected dependencies |
||
|
silverwind
|
16aa0fcc98 |
Add date to "No Contributions" tooltip (#36190)
Fixes https://github.com/go-gitea/gitea/issues/36188 via
|
||
|
silverwind
|
b915e6908c |
Add JSON linting (#36192)
Uses https://github.com/eslint/json to lint all JSON and JSONC files in the repo. |
||
|
silverwind
|
ad49b7bf31 |
Update JS deps and eslint enhancements (#36147)
- Update all JS deps - Tested affected `dependencies` - Replace eslint `unstable_native_nodejs_ts_config` with optional `jiti` dependency. This will be more compatible with editor integrations that may not pass this flag. - Enable additional eslint rules, no new issues - Move `typescript` to `devDependencies` because `make frontend` works without it |
||
|
Dawid Góra
|
0e916c67cc |
Automatic generation of release notes (#35977)
Similar to GitHub, release notes can now be generated automatically. The generator is server-side and gathers the merged PRs and contributors and returns the corresponding Markdown text. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
ca8c4ebecd |
Update JS deps (#36091)
Result of `make update-js svg && git add --all`. Tested Mermaid. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
9668913d76 |
Update JS deps, fix deprecations (#36040)
- Update JS deps - Regenerate SVGs - Fix air `bin` deprecation - Fix `monaco.languages.typescript` deprecation - Remove `eslint-plugin-no-use-extend-native`, it's unnecessary with typescript - Enable new `@typescript-eslint` rules - Disable `@typescript-eslint/no-redundant-type-constituents`, this rule has bugs when not running under `strictNullChecks` (pending in https://github.com/go-gitea/gitea/pull/35843). |
||
|
silverwind
|
1baca49870 |
Update JS deps (#35978)
Update JS deps, regenerate SVGs, fixed lint issues and did cursory testing of UI. |
||
|
silverwind
|
d69eede59b |
Update JS dependencies (#35759)
- Update all JS dependencies - Added new unicorn rules - `updates` now also supports updating `packageManager` and `engines`, and I see no reason not to do that, so I think we can try keeping these updated as well. If something in the build breaks because of this, I will revert and exclude `pnpm` from updating further, but as far as I understand, only corepack respects this field and pnpm itself does not care about it. - Regenerate SVGs. |
||
|
silverwind
|
cab35ff17a |
Update dependencies (#35733)
- Update all JS, Python and Makefile dependencies - Fixed two new go lint issues - Tested the affected JS dependencies. |
||
|
dependabot[bot]
|
990201dc93 |
Bump happy-dom from 20.0.0 to 20.0.2 (#35677)
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
silverwind
|
49a0a11f55 |
Update JS deps, misc tweaks (#35643)
- Update all JS dependencies - Enable eslint `no-useless-assignment` and fix 2 discovered issues - Replace `gitea-vscode` svg with new `octicon-vscode` - Remove now-unused `@ts-expect-error` comments - Change Monaco wrapping behaviour to match the wrapping in code view: no wrapping indent and break on any character. |
