mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-29 22:31:28 +00:00
cc1df1976be3593c93cdcd28b9b4fba6cb23a6ec
21054 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
bircni
|
cc1df1976b | fix: codemirror regressions (#38248) | ||
|
bircni
|
1c718da16c |
fix(api): support HEAD requests on all API GET endpoints (#38245)
Fixes #38226 ## Summary Add `chi_middleware.GetHead` as the first `BeforeRouting` middleware on the API router. This makes every API `GET` endpoint automatically handle `HEAD` requests, as required by RFC 9110 §9.3.2. Previously, `HEAD` requests to endpoints like `GET /repos/{owner}/{repo}/git/commits/{sha}` returned `405 Method Not Allowed`. The web router already used this same middleware (see `routers/web/web.go:261`), so this aligns API behaviour with the web router. ## Changes - `routers/api/v1/api.go`: add `chi_middleware.GetHead` middleware to the API router - `tests/integration/api_repo_git_commits_test.go`: add `TestAPIReposGitCommitsHEAD` verifying HEAD returns 200 on a valid ref and 404 (not 405) on a missing ref |
||
|
bircni
|
ce8cf22af9 |
fix(actions): don't swallow HTML entities into linkified URLs (#38239)
In the Actions log viewer, a double-quoted URL renders with a stray extra `;` after it. Reported in `gitea/runner#1046` Remove the buggy AI slop `linkifyURLs` and use new approach to process URLs in text --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Lunny Xiao
|
5b9251150c |
fix(actions): address workflow status badge review feedback (#38241)
Follow https://github.com/go-gitea/gitea/pull/38196#discussion_r3487219492 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
1d43b736b5 |
fix(actions): deny fork-PR cross-repo access via collaborative owner (#38214)
### What
`GetActionsUserRepoPermission` (`models/perm/access/repo_permission.go`)
decides whether an Actions task token may access a target repo. Its
cross-repo branches each enforce a fork-PR discriminator — except the
collaborative-owner branch, which was missing the
`!task.IsForkPullRequest` guard that its sibling
`checkSameOwnerCrossRepoAccess` has.
As a result, when a private repo **B** lists owner **A** as a
collaborative owner, an attacker-controlled fork pull-request workflow
whose base repo is owned by A was granted code-read on B — i.e. the
fork's workflow could clone a third private repository it has no rights
to (read-only confidentiality breach).
### Fix
Add the same fork-PR guard the sibling path already enforces:
```go
if taskRepo.IsPrivate && !task.IsForkPullRequest {
actionsUnit := repo.MustGetUnit(ctx, unit.TypeActions)
if actionsUnit.ActionsConfig().IsCollaborativeOwner(taskRepo.OwnerID) {
return maxPerm, nil
}
}
```
|
||
|
Zettat123
|
f46c9a9769 |
feat(actions): support owner-level and global scoped workflows (#38154)
## Summary This PR adds **scoped workflows** to Gitea Actions. Workflows defined centrally in a "source" repository that automatically run on every repository in scope: an organization's repositories, or (for instance admins) every repository on the instance. Each scoped run executes in the consuming repository's own context (its runners, secrets, and branch) while its content is read from the source repository, so an org or instance can mandate shared CI across many repositories without copying workflow files into each one. An owner or instance admin registers source repositories on a settings page and can mark individual workflows as **required**. A required scoped workflow cannot be opted out by a consuming repository and gates its pull-request merges; an optional one can be disabled per repository. Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default `.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`. ## Main changes ### Configuration New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with `WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows` ### Data model & migration - New `action_scoped_workflow_source` table mapping a registering owner (`owner_id`, where `0` = instance-level) to a source repository, with a per-workflow `WorkflowConfigs` map. - `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned content source) and an `IsScopedRun` flag. ### Detection & run creation On consumer events, scoped workflows from the effective sources (the owner's own sources plus instance-level ones) are matched and turned into runs that execute in the consumer's context, with content pinned to the source repo's default-branch commit. `on: workflow_run` and `on: schedule` are currently not supported. ### Opt-out A consuming repository can disable an optional scoped workflow (tracked separately from regular `DisabledWorkflows`); required scoped workflows can never be disabled, opted out, or bypassed. ### Commit status A scoped run's status context format is `"<source repo full name>: <workflow display name> / <job> (<event>)"` (for example: `my-org/scoped-workflows: db-tests / test-sqlite (pull_request)`), keeping it distinct from a same-named repo-level workflow and from other sources. ### Required status checks Admins mark workflows required and supply status-check patterns. `EffectiveRequiredContexts` appends those patterns to the branch protection's required contexts and they are matched must-present-and-pass. If the status checks from scoped workflows fail, the PR cannot be merged. NOTE: scoped workflows' required status checks patterns can protect any target branch that has a protection rule, even though the rule's "Status Check" is disabled. A target branch with no protection rule cannot be protected. <details> <summary>Screenshots</summary> <img width="1400" alt="image" src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643" /> </details> ### Reusable workflows (`uses:`) A scoped workflow's local `uses: ./...` resolves against the source repository. `uses:` directory validation honors the instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS` (previously hardcoded to `.gitea`/`.github/workflows`). ### Manual dispatch `workflow_dispatch` is supported for scoped workflows (web and API), resolving inputs/content from the source repo. ### Performance A process-local LRU cache keyed by source repo ID for the per-source workflow parse, so instance-level and owner-level sources don't open the source repo and parse workflow files on every event. ### UI Org / user / admin pages to register and remove sources, search repositories, and mark workflows required with their status-check patterns. The repository Actions sidebar groups scoped workflows by source with owner/instance labels and required/disabled badges. <details> <summary>Screenshots</summary> Scoped workflows setting page: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642" /> Consumer repo's Actions runs list: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64" /> - `Owner`: this is a owner-level scoped workflows source repo - `Global`: this is a global scoped workflows source repo - `Required`: this scoped workflow is required, repo admin cannot disable it </details> --- Docs: https://gitea.com/gitea/docs/pulls/447 --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
Lunny Xiao
|
c9920b7bd0 |
fix(oauth): restrict introspection to the token's client (#38042)
Bind OAuth token introspection responses to the authenticated client. Return an inactive response when the token grant belongs to a different OAuth application to avoid leaking token metadata across clients. Add integration coverage for cross-client introspection attempts against both access tokens and refresh tokens. Assisted-by: GPT-5.4 |
||
|
bircni
|
0319358e5e | fix(web): Correctly align the "disabled" label on larger workflow names (#38240) | ||
|
guanzi008
|
9540292596 |
feat(actions): add workflow status badge modal (#38196)
- Add a Create Status Badge button for selected Actions workflows. - Show badge URL, Markdown, and HTML snippets backed by the existing workflow badge route. ## Screenshots <img width="553" height="470" alt="dyn-a5d565ab915b9ffb6c02ac68113494b0" src="https://github.com/user-attachments/assets/43b4ceb9-bbd1-4024-b058-d85ec8325e88" /> <img width="349" height="156" alt="grafik" src="https://github.com/user-attachments/assets/6eaec62d-ffb0-45c0-b63d-866a41a66005" /> Fixes https://github.com/go-gitea/gitea/issues/31462 --------- Signed-off-by: guanzi008 <245205080@qq.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
maximilize
|
d392fb1438 |
fix(packages): accept npm "repository" and "bin" in string form (#38236)
## What npm allows `repository` and `bin` in `package.json` to be either an object or a plain string (npm docs: [repository](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#repository), [bin](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#bin)). The npm registry creator modeled `repository` as a struct and `bin` as `map[string]string`, so publishing a package whose `package.json` uses the string form failed with: ``` json: cannot unmarshal string into Go struct field PackageMetadataVersion.PackageMetadata.versions.bin of type map[string]string ``` ## Fix `modules/packages/npm/creator.go`: add `UnmarshalJSON` to `Repository` (string → `URL`) and a `Bin` type with `UnmarshalJSON` (string → a single command named after the package, per npm semantics), mirroring the existing `License` / `User` string-or-object handling. The stored `Metadata` field types are unchanged. `bundledDependencies` as a boolean (also noted in #38235) is left out of scope — it is rare and semantically different (`true` = bundle all deps). ## Test `TestParsePackage/ValidRepositoryAndBinAsString` parses a package with string `repository` and `bin`: it fails on `main` with the error above and passes with this change. The full `modules/packages/npm` suite is green and `gofmt` is clean. Fixes #38235 _AI disclosure: prepared with AI assistance; I reviewed and verified it (reproduction + tests) and can explain and defend the change._ |
||
|
bircni
|
0f5102427e |
fix(actions): ensure all waiting jobs get runners in large workflows (#38200)
## Summary Fixes two related bugs that cause jobs in large workflows (50+ parallel jobs) to never get a runner assigned even though runners are free. ### Bug 1 — Concurrent runner race When N runners all poll `FetchTask` with a stale `tasksVersion` simultaneously, they all query the same waiting job list sorted by `(updated, id)` and all pick **job #1**. Only one wins the `UPDATE WHERE task_id=0` optimistic lock; the rest return empty-handed but still receive `latestVersion` in the response. They then consider themselves "up to date" and skip `PickTask` on every subsequent poll, leaving jobs #2–50 permanently unassigned. **Fix:** `CreateTaskForRunner` now iterates through all matching waiting jobs. When the optimistic lock fails on job #1, it immediately tries job #2, then #3, etc., each in its own independent transaction so a failed attempt rolls back cleanly before the next candidate is tried. `PickTask` no longer wraps this call in an outer `db.WithTx` (which caused `halfCommitter` entanglement that prevented per-attempt rollbacks). ### Bug 2 — Idle runner doesn't re-check after finishing a task `tasks_version` only bumps when a job transitions **to** waiting (new workflow triggered, blocked→unblocked). After a runner finishes its current task it polls `FetchTask` with `tasksVersion == latestVersion`, so the server skips `PickTask` entirely — the remaining 45 waiting jobs are invisible to the now-idle runner. **Fix:** Also call `IncreaseTaskVersion` in `UpdateRunJob` when a (non-reusable-caller) job transitions to a **done** state. Idle runners then see a version mismatch on their next poll and attempt `PickTask`, picking up the remaining jobs. |
||
|
Lunny Xiao
|
cbe1b703dc |
refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977)
This PR replaces a set of struct-based `Get` lookups with explicit `db.Get` / `db.Exist` conditions in places where zero-value fields can lead to ambiguous matches or incorrect records being returned. The main goal is to make read paths deterministic and avoid accidentally matching the wrong row when only part of a struct is populated. ### What changed - replace many `db.GetEngine(ctx).Get(bean)` calls with explicit `builder.Eq` conditions across models such as actions, admin tasks, issues, pull requests, repositories, users, packages, redirects, watches, stars, and follows - use quoted column names where needed for reserved fields like `index`, `type`, and `name` - add dedicated user lookup helpers for: - primary email - OAuth login source / login name - update sign-in and OAuth-related flows to use explicit individual-user lookups instead of partially populated `User` structs - tighten package property and Terraform lock lookups to avoid ambiguous reads and updates - keep existing fallback behavior where needed, while removing reliance on zero-value struct matching ### User-facing impact These changes primarily affect authentication and account lookup paths: - email/username sign-in now re-fetches users through explicit keys - OAuth2 auto-linking now resolves users by name or primary email explicitly - OAuth2 login/sync now looks up users by login source, login type, and login name explicitly - non-individual accounts are no longer implicitly matched through partial user lookups in these flows This should reduce the risk of incorrect account matches and make query behavior more predictable across the codebase. --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
d5e6f273f0 |
fix(migrations): prevent path traversal in repository restore (#38215)
## Problem The repository restorer (`services/migrations/restore.go`) builds `file://` URLs for release attachments and PR patches by joining user-supplied paths from `release.yml` and `pull_request.yml` onto the dump directory: ```go *asset.DownloadURL = "file://" + filepath.Join(r.baseDir, *asset.DownloadURL) pr.PatchURL = "file://" + filepath.Join(r.baseDir, pr.PatchURL) ``` `filepath.Join` cleans the path, so a crafted relative value such as `../../../../etc/passwd` resolves to an absolute path **outside** the dump directory. `uri.Open` then reads it via `os.Open` and stores the content as a release attachment, which is retrievable through the API — an arbitrary file read (Local File Inclusion) from a dump archive supplied to `restore-repo`. ## Fix Add a `localFileURL` helper that resolves the relative path against `baseDir` and rejects anything that escapes it. Malicious entries are skipped with a warning so a legitimate restore still completes; in-dump files keep working unchanged. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Keshane Gan
|
15ee850ede |
perf(web): sort the action_run query by a repo-scoped index when possible (#38155)
The `index` column is unique per repo, but the `id` column is scoped to the whole table |
||
|
wxiaoguang
|
16c3216dc6 |
fix: js string split (#38233)
fix #38229 |
||
|
Giteabot
|
b565f3e00a |
fix(deps): update module golang.org/x/image to v0.43.0 [security] (#38219)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.42.0` → `v0.43.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.42.0...refs/tags/v0.43.0) |  |  | --- ### Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image [CVE-2026-46601](https://nvd.nist.gov/vuln/detail/CVE-2026-46601) / [GO-2026-5061](https://pkg.go.dev/vuln/GO-2026-5061) <details> <summary>More information</summary> #### Details The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size. #### Severity Unknown #### References - [https://go.dev/cl/787681](https://go.dev/cl/787681) - [https://go.dev/issue/79869](https://go.dev/issue/79869) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5061) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Lack of limit on tile sizes in x/image/tiff in golang.org/x/image [CVE-2026-46602](https://nvd.nist.gov/vuln/detail/CVE-2026-46602) / [GO-2026-5062](https://pkg.go.dev/vuln/GO-2026-5062) <details> <summary>More information</summary> #### Details The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption. #### Severity Unknown #### References - [https://go.dev/cl/788422](https://go.dev/cl/788422) - [https://go.dev/issue/79905](https://go.dev/issue/79905) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5062) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image [CVE-2026-46604](https://nvd.nist.gov/vuln/detail/CVE-2026-46604) / [GO-2026-5066](https://pkg.go.dev/vuln/GO-2026-5066) <details> <summary>More information</summary> #### Details The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset. #### Severity Unknown #### References - [https://go.dev/cl/788421](https://go.dev/cl/788421) - [https://go.dev/issue/80122](https://go.dev/issue/80122) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5066) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
bircni
|
122ebcf0a8 | fix(api): deny private org member enumeration via /members (#38213) | ||
|
Aidan Fahey
|
1b0992eb2e | fix(actions): fix 500 error when canceling a canceling task (#38223) | ||
|
bircni
|
c2f130d352 |
fix(mssql): convert legacy DATETIME columns to DATETIME2 (#38216)
## Problem On MSSQL databases created by old Gitea versions, the real datetime columns `external_login_user.expires_at` and `lfs_lock.created` were created as `DATETIME`. `DATETIME` parses datetime literals in a locale-dependent way, so the ISO string `'YYYY-MM-DD HH:MM:SS'` that xorm sends fails to convert when the session language is not English (e.g. German defaults to `dmy`): ``` mssql: Bei der Konvertierung eines nvarchar-Datentyps in einen datetime-Datentyp liegt der Wert außerhalb des gültigen Bereichs. ``` This breaks linking an external (OAuth/Keycloak) account to an existing user, and LFS lock creation, with a 500 error. ## Fix Current xorm already maps `time.Time` to the locale-independent `DATETIME2` for new installs, so only legacy databases are affected. This adds migration `341` that converts these columns to `DATETIME2` on legacy MSSQL databases (no-op on other databases and on columns already using `DATETIME2`). A full audit of persisted `time.Time` columns in `models/` confirmed these two are the only real datetime columns affected — every other time value is stored as a unix-timestamp integer. A regression test (MSSQL-only, mirroring the existing v338 pattern) downgrades the columns to legacy `DATETIME`, runs the migration, asserts the type becomes `DATETIME2`, and verifies an ISO datetime insert succeeds under `SET LANGUAGE German`. Fixes #38211 |
||
|
Giteabot
|
2e1be0b114 |
fix(deps): update npm dependencies (#38203)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [asciinema-player](https://redirect.github.com/asciinema/asciinema-player) | [`3.15.1` → `3.16.0`](https://renovatebot.com/diffs/npm/asciinema-player/3.15.1/3.16.0) |  |  | | [eslint-plugin-sonarjs](https://redirect.github.com/SonarSource/SonarJS/blob/master/packages/analysis/src/jsts/rules/README.md) ([source](https://redirect.github.com/SonarSource/SonarJS)) | [`4.0.3` → `4.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-sonarjs/4.0.3/4.1.0) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.5` → `20.10.6`](https://renovatebot.com/diffs/npm/happy-dom/20.10.5/20.10.6) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.7.0` → `11.8.0`](https://renovatebot.com/diffs/npm/pnpm/11.7.0/11.8.0) |  |  | --- ### Release Notes <details> <summary>asciinema/asciinema-player (asciinema-player)</summary> ### [`v3.16.0`](https://redirect.github.com/asciinema/asciinema-player/releases/tag/v3.16.0): 3.16.0 [Compare Source](https://redirect.github.com/asciinema/asciinema-player/compare/v3.15.1...v3.16.0) This is a significant release, with a new keystroke overlay and major improvements to recording playback. Notable changes: - New optional keystroke overlay, toggled with the `k` key - New `cursorMode` option: `"blinking"`, `"steady"` or `"hidden"` - TypeScript definitions included in the npm package - More reliable loading, playback, seeking, stepping and looping - Recording load failures are now emitted via the `error` event - Audio loading failures no longer prevent recording playback - Improved rendering of Powerline and box-drawing symbols - Improved accessibility of control bar buttons - Standalone bundle is now compatible with LibreJS #### Keystroke overlay The new [`keystrokeOverlay`](https://docs.asciinema.org/manual/player/options/#keystrokeoverlay) option displays keys pressed during a recording: ```javascript AsciinemaPlayer.create("/demo.cast", document.getElementById("demo"), { keystrokeOverlay: true }); ``` Recent keystrokes are shown in the lower-right corner. Consecutive text input is grouped, while repeated special keys use a counter, such as `Ret × 3`. The overlay is disabled by default and can be toggled during playback with the `k` key. It requires a recording containing input events (`asciinema rec --capture-input ...`). Demo: [](https://asciinema.org/a/1258082) #### Cursor mode The new [`cursorMode`](https://docs.asciinema.org/manual/player/options/#cursormode) option controls cursor visibility: ```javascript AsciinemaPlayer.create("/demo.cast", document.getElementById("demo"), { cursorMode: "steady" }); ``` Supported modes are `"blinking"` (the default), `"steady"` and `"hidden"`. #### Playback improvements The recording playback engine has been significantly reworked. This fixes several edge cases involving reverse stepping, marker pauses, looping, seeking, posters and audio playback. Missing or invalid audio now falls back to terminal-only playback. Fatal recording load errors are emitted through the new [`error`](https://docs.asciinema.org/manual/player/api/#error-event) event. `getCurrentTime()` and `getDuration()` now return their values directly, as documented. #### TypeScript support The npm package now includes TypeScript definitions for the player API, options, recording sources, parsers and events. </details> <details> <summary>SonarSource/SonarJS (eslint-plugin-sonarjs)</summary> ### [`v4.1.0`]( |
||
|
Eyüp Can Akman
|
ef927f9fa3 |
feat(api): support ref suffixes in compare (#38148)
Compare API requests with a `^` or `~N` revision suffix (for example `compare/main...feature^`) were rejected with `400 Unsupported comparison syntax: ref with suffix`. The fix resolves the suffix to a commit before comparing, so `base...head^` and `~N` work on either side, the same as git. Only `^`/`~N` navigation is resolved. Pull request creation still requires plain branch refs, and the web compare page keeps rejecting suffixes since its branch selectors need separate UI work. Closes #33943 |
||
|
Giteabot
|
59d4825a95 | chore(deps): update module golang.org/x/vuln to v1.4.0 (#38201) | ||
|
GiteaBot
|
10da460c1b | [skip ci] Updated translations via Crowdin | ||
|
Giteabot
|
2003cf4e87 | chore(deps): update actions/checkout action to v7 (#38199) | ||
|
Royce Remer
|
736ab982c8 |
enhance: allow builtin default git config options to be overridden (#38172)
This is really a follow-up to [#38148](https://github.com/go-gitea/gitea/pull/35305) , instead of having specific mappings of options for git configurations, just honor any user-provided gitconfig. I include a test which points out the specific config I have which was previously not honored, but more generally this means that gitea now only *adds* new gitconfig and never overwrites any config provided under `[git.config]`. --------- Signed-off-by: Royce Remer <royceremer@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
08a18d36a6 | [skip ci] Updated translations via Crowdin | ||
|
Giteabot
|
8a6697123f |
chore(deps): update action dependencies (#38191)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [crowdin/github-action](https://redirect.github.com/crowdin/github-action) | action | patch | `v2.16.2` → `v2.16.3` | | [pnpm/action-setup](https://redirect.github.com/pnpm/action-setup) | action | patch | `v6.0.8` → `v6.0.9` | --- ### Release Notes <details> <summary>crowdin/github-action (crowdin/github-action)</summary> ### [`v2.16.3`](https://redirect.github.com/crowdin/github-action/releases/tag/v2.16.3) [Compare Source](https://redirect.github.com/crowdin/github-action/compare/v2.16.2...v2.16.3) #### What's Changed - CLI [4.14.3](https://redirect.github.com/crowdin/crowdin-cli/releases/tag/4.14.3) by [@​andrii-bodnar](https://redirect.github.com/andrii-bodnar) **Full Changelog**: <https://github.com/crowdin/github-action/compare/v2.16.2...v2.16.3> </details> <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6.0.9`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.9) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.8...v6.0.9) ##### What's Changed - fix: update pnpm to v11.7.0 by [@​zkochan](https://redirect.github.com/zkochan) in [#​267](https://redirect.github.com/pnpm/action-setup/pull/267) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6...v6.0.9> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Giteabot
|
2cd4506120 |
fix(deps): update npm dependencies (#38193)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/search | [`6.7.0` → `6.7.1`](https://renovatebot.com/diffs/npm/@codemirror%2fsearch/6.7.0/6.7.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.60.0` → `1.61.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.60.0/1.61.0) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.2` → `20.10.5`](https://renovatebot.com/diffs/npm/happy-dom/20.10.2/20.10.5) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.3` → `11.7.0`](https://renovatebot.com/diffs/npm/pnpm/11.5.3/11.7.0) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.8` → `4.1.9`](https://renovatebot.com/diffs/npm/vitest/4.1.8/4.1.9) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.37` → `3.5.38`](https://renovatebot.com/diffs/npm/vue/3.5.37/3.5.38) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.4` → `3.3.5`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.4/3.3.5) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.61.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.61.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.60.0...v1.61.0) #### 🔑 WebAuthn passkeys New [Credentials](https://playwright.dev/docs/api/class-credentials) virtual authenticator, available via [browserContext.credentials](https://playwright.dev/docs/api/class-browsercontext#browser-context-credentials), lets tests register passkeys and answer `navigator.credentials.create()` / `navigator.credentials.get()` ceremonies in the page — no real hardware key required, works in all browsers: ```js const context = await browser.newContext(); // Seed a passkey your backend provisioned for a test user. await context.credentials.create('example.com', { id: credentialId, userHandle, privateKey, publicKey, }); await context.credentials.install(); const page = await context.newPage(); await page.goto('https://example.com/login'); // The page's navigator.credentials.get() is answered with the seeded passkey. ``` You can also let the app register a passkey once in a setup test, read it back with [credentials.get()](https://playwright.dev/docs/api/class-credentials#credentials-get), and seed it into later tests — see [Credentials](https://playwright.dev/docs/api/class-credentials) for details. #### 🗃️ Web Storage New [WebStorage](https://playwright.dev/docs/api/class-webstorage) API, available via [page.localStorage](https://playwright.dev/docs/api/class-page#page-local-storage) and [page.sessionStorage](https://playwright.dev/docs/api/class-page#page-session-storage), reads and writes the page's storage for the current origin: ```js await page.localStorage.setItem('token', 'abc'); const token = await page.localStorage.getItem('token'); const items = await page.sessionStorage.items(); ``` #### New APIs ##### Network - [apiResponse.securityDetails()](https://playwright.dev/docs/api/class-apiresponse#api-response-security-details) and [apiResponse.serverAddr()](https://playwright.dev/docs/api/class-apiresponse#api-response-server-addr) mirror the browser-side [response.securityDetails()](https://playwright.dev/docs/api/class-response#response-security-details) and [response.serverAddr()](https://playwright.dev/docs/api/class-response#response-server-addr). ##### Browser and Screencast - New option `artifactsDir` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) controls where artifacts such as traces and downloads are stored when attached to an existing browser. - New option `cursor` in [screencast.showActions()](https://playwright.dev/docs/api/class-screencast#screencast-show-actions) controls the cursor decoration rendered for pointer actions. - The `onFrame` callback in [screencast.start()](https://playwright.dev/docs/api/class-screencast#screencast-start) now receives a `timestamp` of when the frame was presented by the browser. ##### Test runner - The [testOptions.video](https://playwright.dev/docs/api/class-testoptions#test-options-video) option now supports the same set of modes as `trace`: new `'on-all-retries'`, `'retain-on-first-failure'` and `'retain-on-failure-and-retries'` values. See the [video modes table](https://playwright.dev/docs/test-use-options#video-modes) for which runs are recorded and kept in each mode. - Supported `expect.soft.poll(...)`. - New [fullConfig.argv](https://playwright.dev/docs/api/class-fullconfig#full-config-argv) — a snapshot of `process.argv` from the runner process, handy for reading custom arguments passed after the `--` separator. - New [fullConfig.failOnFlakyTests](https://playwright.dev/docs/api/class-fullconfig#full-config-fail-on-flaky-tests) mirrors the config option, so reporters can explain why a flaky run failed. - [testInfo.errors](https://playwright.dev/docs/api/class-testinfo#test-info-errors) now lists each sub-error of an `AggregateError` as a separate entry. - New `-G` command line shorthand for `--grep-invert`. #### 🛠️ Other improvements - Playwright now supports Ubuntu 26.04. - HAR and trace recordings now include WebSocket requests. #### Browser Versions - Chromium 149.0.7827.55 - Mozilla Firefox 151.0 - WebKit 26.5 This version was also tested against the following stable channels: - Google Chrome 149 - Microsoft Edge 149 </details> <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.5`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.5) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.4...v20.10.5) ##### :construction\_worker\_man: Patch fixes - Adds cache to query selector parser - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​2142](https://redirect.github.com/capricorn86/happy-dom/issues/2142) - The selector parser degraded in performance in v20.6.3 to solve more complex selectors - Parsing is still a bit slower, but the cache will hopefully mitigate most of the problem ### [`v20.10.4`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.4) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.3...v20.10.4) ##### :construction\_worker\_man: Patch fixes - Coerce null qualifiedName to empty string in createDocument - By **[@​Firer](https://redirect.github.com/Firer)** in task [#​2206](https://redirect.github.com/capricorn86/happy-dom/issues/2206) ### [`v20.10.3`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.3) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.2...v20.10.3) ##### :construction\_worker\_man: Patch fixes - Fix "\~=" attribute selector matching hyphenated substrings in CSS selectors - By **[@​mixelburg](https://redirect.github.com/mixelburg)** in task [#​2194](https://redirect.github.com/capricorn86/happy-dom/issues/2194) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.7.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v11.7.0): pnpm 11.7 [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.6.0...v11.7.0) #### Minor Changes - Added a new setting `frozenStore` (`--frozen-store`) that lets `pnpm install` run against a package store on a read-only filesystem (e.g. a Nix store, a read-only bind mount, an OCI layer). When enabled, pnpm opens the store's SQLite `index.db` through the `immutable=1` URI — bypassing the WAL/`-shm` sidecar creation that otherwise fails on a read-only directory — and suppresses every store-write path (the `index.db` writer and the project-registry write). Pair it with `--offline --frozen-lockfile` against a fully-populated store. Under the global virtual store, package directories live inside the store, so if the store is missing the build output of a package whose lifecycle scripts are approved (or that has a patch), pnpm fails up front with `ERR_PNPM_FROZEN_STORE_NEEDS_BUILD` rather than crashing mid-build on a read-only write — seed the store with those builds first. Incompatible with `--force` and with a configured pnpr server, since both write into the store; the side-effects cache is likewise not written under `frozenStore`. If the store is missing its content directory, the install fails fast with `ERR_PNPM_FROZEN_STORE_INCOMPLETE` rather than attempting to initialize it. The read-only `immutable=1` open requires Node.js >=22.15.0, >=23.11.0, or >=24.0.0; on older runtimes `--frozen-store` fails with a clear `ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE` error. Bin-linking also tolerates a read-only store: under the global virtual store a package's bin source lives inside the store, so the `chmod` that makes it executable would be refused — with `EPERM`/`EACCES`, or with `EROFS` on a genuinely read-only filesystem. That `chmod` is redundant when the seed already ships its bins executable with a normalized shebang, so it is now skipped in that case, while a non-executable bin (or one still carrying a Windows CRLF shebang) on a read-only store still errors. - When [`pacquet`](https://redirect.github.com/pnpm/pnpm/tree/main/pacquet) (the Rust port of pnpm) is declared in `configDependencies`, pnpm now delegates dependency **resolution** to it too — not just materialization — provided the installed pacquet is new enough to support full resolving installs (>= 0.11.7). Previously pacquet only ran in frozen-install mode: pnpm always resolved the dependency graph itself (writing `pnpm-lock.yaml`) and handed pacquet a finished lockfile to fetch / import / link. With pacquet >= 0.11.7, a non-frozen `pnpm install` (default isolated `nodeLinker`, plain install) is delegated to pacquet end-to-end in a single pass — pacquet resolves the manifests, writes the lockfile, and materializes `node_modules`. pnpm detects the capability from the installed pacquet's version; older pacquet releases keep the resolve-then-materialize split, and `add` / `update` / `remove` still resolve in pnpm (it has to mutate the manifests first). This remains an opt-in preview of the Rust install engine [#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723). - Added a new opt-in `--batch` flag to `pnpm publish --recursive` that sends all selected packages to the registry in a single `PUT /-/pnpm/v1/publish` request instead of one request per package. The target registry has to implement the batch publish endpoint (pnpr does); registries that don't are reported with a clear `ERR_PNPM_BATCH_PUBLISH_UNSUPPORTED` error. The batch is processed all-or-nothing by pnpr: if any package in the batch fails validation, none of the packages are published. #### Patch Changes - Reject path-traversal and reserved dependency aliases (such as `../../../escape`, `.bin`, `.pnpm`, or `node_modules`) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted `node_modules` directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout. The fix adds two layers: - The `nodeLinker: hoisted` graph builder now validates each alias at the directory sink (`safeJoinModulesDir`), matching the validation pnpm already performs when resolving aliases from manifests. - The lockfile verification gate (`verifyLockfileResolutions`) now runs an always-on, policy-independent check that rejects any importer or snapshot dependency alias that is not a valid package name, failing the install early — before any fetch or filesystem work — for every node linker at once. - Made shared package child resolution deterministic when the same package is reached through multiple contexts. pnpm now chooses the shallowest occurrence, then importer order, then parent path, instead of letting request timing decide the child context and missing-peer report [pnpm/pnpm#12358](https://redirect.github.com/pnpm/pnpm/issues/12358). - Fix garbled summary line after submitting `pnpm update -i` and `pnpm audit --fix -i`. The interactive checkbox prompt previously printed every selected choice's full table row (label, current/target versions, workspace, URL) joined by commas, producing a wall of text after pressing Enter. The summary now lists only the selected package names (or vulnerability keys) by setting an explicit `short` per choice; the in-progress selection UI is unchanged. - Prevent `pnpm patch-remove` from removing files outside the configured patches directory. - Fixed `pnpm publish` ignoring `strictSsl: false` when publishing to registries with self-signed certificates. The `strictSSL` option is now forwarded to `libnpmpublish` / `npm-registry-fetch` so that `strict-ssl=false` in `.npmrc` or `strictSsl: false` in `pnpm-workspace.yaml` is respected during publish, the same way it is for `pnpm install` [pnpm/pnpm#12012](https://redirect.github.com/pnpm/pnpm/issues/12012). - Fixed `Cannot destructure property 'manifest' of 'manifestsByPath[rootDir]' as it is undefined` regression introduced in 11.6.0 when running `pnpm add <pkg>` outside a workspace on Windows. `selectProjectByDir` was keying the resulting `ProjectsGraph` by `opts.dir` instead of `project.rootDir`, so downstream `manifestsByPath` lookups missed when the two paths normalized differently (typically drive-letter casing). [pnpm/pnpm#12379](https://redirect.github.com/pnpm/pnpm/issues/12379) - Git dependencies that point to a subdirectory of a repository (`repo#commit&path:/sub/dir`) keep their `path` in the lockfile again. Since the integrity of git-hosted tarballs started being pinned in the lockfile, any install that actually downloaded the tarball rebuilt the lockfile resolution as `{ integrity, tarball, gitHosted }` and dropped the `path` field, while installs served from the store kept it — so the field disappeared seemingly at random. Without `path`, later installs from that lockfile silently unpacked the repository root instead of the subdirectory [#​12304](https://redirect.github.com/pnpm/pnpm/issues/12304). - Fixed nondeterministic lockfile output that made `pnpm dedupe --check` fail intermittently in CI. When a locked peer provider was pinned for a dependency that has no child dependencies of its own, the pinned provider leaked into the shared parent scope, so siblings resolved after it could pick up an optional peer they should not see. Which siblings were affected depended on resolution order, which varies with network timing. - Sped up `pnpm install` with a frozen lockfile by running lockfile verification (the policy revalidation gate added for `minimumReleaseAge`/`trustPolicy` and the tarball-URL anti-tamper check) concurrently with fetching and linking instead of blocking the whole install on it. Dependency lifecycle scripts are still held back until verification succeeds, so no script runs on an unverified lockfile: if verification fails the install aborts before any dependency build, and if linking finishes first the install waits for the verification verdict before completing. - User-defined `npm_config_*` environment variables are now preserved during lifecycle script execution. Previously, all `npm_`-prefixed env vars were stripped, which caused user-set variables like `npm_config_platform_arch` to be lost [pnpm/pnpm#12399](https://redirect.github.com/pnpm/pnpm/issues/12399). - pnpm can now use different auth tokens for different package scopes, even when those scopes use the same registry URL. Previously, auth was selected only by registry URL. If `@org-a` and `@org-b` both used `https://npm.pkg.github.com/`, they had to share the same token. This caused problems for registries that issue tokens per organization or per scope. Configure a scope-specific token by adding the package scope after the registry URL in the auth key: ```ini @​org-a:registry=https://npm.pkg.github.com/ @​org-b:registry=https://npm.pkg.github.com/ //npm.pkg.github.com/:@​org-a:_authToken=${ORG_A_TOKEN} //npm.pkg.github.com/:@​org-b:_authToken=${ORG_B_TOKEN} //npm.pkg.github.com/:_authToken=${FALLBACK_TOKEN} ``` `pnpm login --registry=https://npm.pkg.github.com --scope=@​org-a` writes the token to the same scope-specific auth key. When installing or publishing `@org-a/*`, pnpm uses `ORG_A_TOKEN`. For `@org-b/*`, pnpm uses `ORG_B_TOKEN`. Packages without a matching scope continue to use the registry-wide fallback token. - `pnpm setup` no longer prompts to approve build scripts for `@pnpm/exe` when installing the standalone executable. pnpm links the platform-specific binary itself, so the package's install scripts are skipped during the global self-install [#​12377](https://redirect.github.com/pnpm/pnpm/issues/12377). - Close lockfile reads deterministically before rewriting lockfiles and keep pacquet's virtual store directory length aligned with pnpm on Windows. - A `304 Not Modified` answer from the registry now renews the cached metadata file's mtime, so the `minimumReleaseAge` freshness shortcut keeps serving resolutions from the cache. Previously, once a cached packument grew older than `minimumReleaseAge`, every subsequent install re-validated it against the registry forever, because a 304 never rewrites the file. - Updated dependency ranges. Notably: - `@pnpm/logger` peer dependency range moved to `^1100.0.0`. - `msgpackr` 1.11.8 → 2.0.4 (store index files remain byte-compatible in both directions). - `open` ^7.4.2 → ^11.0.0, `memoize` ^10 → ^11, `cli-truncate` ^5 → ^6, `pidtree` ^0.6 → ^1. - `@yarnpkg/core` 4.5.0 → 4.8.0, `@rushstack/worker-pool` 0.7.7 → 0.7.18, `@cyclonedx/cyclonedx-library` 10.0.0 → 10.1.0, `@pnpm/config.nerf-dart` ^1 → ^2, `@pnpm/log.group` 3.0.2 → 4.0.1, `@pnpm/util.lex-comparator` ^3 → ^4. - Updated `@zkochan/cmd-shim` to v9.0.6. - Fixed a Windows-only hang where a failed command could take 20–46 seconds to exit. On error, pnpm enumerates descendant processes (via `pidtree`) to terminate them, which on Windows shells out to `wmic`/PowerShell `Get-CimInstance Win32_Process` — a lookup that is extremely slow on some machines. The lookup is now bounded by a short timeout so it can no longer stall the process exit. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://openai.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/openai_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/openai_light.svg" /> <img src="https://pnpm.io/img/users/openai_dark.svg" width="160" alt="OpenAI" /> </picture> </a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v11.6.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v11.6.0): pnpm 11.6 [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.3...v11.6.0) ##### ⚠️ Security fix — environment variables in a project `.npmrc` (action may be required) Following [GHSA-3qhv-2rgh-x77r](https://redirect.github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r), pnpm no longer expands `${ENV_VAR}` placeholders that come from a **repository-controlled** config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to: - the project/workspace `.npmrc` — `registry`, `@scope:registry`, proxy URLs, URL-scoped keys (`//host/…`), and credential values (`_authToken`, `_auth`, `_password`, `username`, `tokenHelper`, `cert`, `key`); - registry URLs in `pnpm-workspace.yaml`. Environment variables are **still** expanded in trusted config: your user-level `~/.npmrc`, the global config, CLI options, and environment config. **If your authentication broke after upgrading**, move the token out of the committed `.npmrc`: ```sh # Writes to your user/global config, not the repository: pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN" ``` Or keep the `${NPM_TOKEN}` line but put it in your user-level `~/.npmrc` instead of the repo. In **GitHub Actions**, `actions/setup-node` with `registry-url` already writes a user-level `.npmrc`, so `NODE_AUTH_TOKEN` keeps working. For other CI where editing each pipeline is hard, set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` (or `NPM_CONFIG_USERCONFIG=.npmrc`) in the CI environment to declare the project `.npmrc` trusted. See <https://pnpm.io/npmrc> for full migration details. #### Minor Changes - `pnpm install` completes without re-resolving when `pnpm-lock.yaml` was deleted but `node_modules` is intact: the up-to-date check now treats the current lockfile (`node_modules/.pnpm/lock.yaml`) — the record of what the previous install materialized — as the wanted lockfile, verifies the manifests still match it, restores `pnpm-lock.yaml` from it, and reports "Already up to date". Previously this scenario triggered a full resolution and a re-verification of every locked package against the registry. - [`615c669`](https://redirect.github.com/pnpm/pnpm/commit/615c669): Added support for configuring URL-scoped registry settings through `npm_config_//…` and `pnpm_config_//…` environment variables, for example: ```text npm_config_//registry.npmjs.org/:_authToken=<token> pnpm_config_//registry.npmjs.org/:_authToken=<token> ``` This provides a file-free way to supply registry authentication. Because the registry a value applies to is encoded in the (trusted) environment variable name, it is host-scoped by construction and cannot be redirected to another registry by repository-controlled config. The environment value is treated as trusted config: it takes precedence over a project/workspace `.npmrc` but is still overridden by command-line options. When the same key is provided through both prefixes, `pnpm_config_` wins. - Raised the default network concurrency from `min(64, max(cpuCores * 3, 16))` to `min(96, max(cpuCores * 3, 64))`. Package downloads are I/O-bound, not CPU-bound, so deriving the floor from the core count left machines with few cores (for example 4-vCPU CI runners) downloading only 16 tarballs at a time and unable to saturate a low-latency registry. The `networkConcurrency` setting still overrides the default. #### Patch Changes - Improved the warning printed when a project `.npmrc` uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by moving the line to the user-level `~/.npmrc` or running `pnpm config set "<key>" <value>` — with a link to <https://pnpm.io/npmrc>. The `pnpm config set` example is only suggested when the key has no `${...}` placeholder, so the snippet is always safe to copy-paste. - Print a "Lockfile passes supply-chain policies (verified 2h ago)" message when lockfile verification is skipped because a cached verdict for the same lockfile content and policy is reused. Previously the cached short-circuit was completely silent, which made it look like the policy gate never ran [#​12324](https://redirect.github.com/pnpm/pnpm/issues/12324). - Platform-specific optional dependencies are now skipped even when their `os`/`cpu`/`libc` fields are missing from the registry metadata or the lockfile. Some registries strip these fields from the package metadata, which made pnpm download and install the binaries of every platform regardless of `supportedArchitectures`. The missing platform fields of an optional dependency are now inferred from its name (e.g. `@nx/nx-win32-arm64-msvc` → `os: win32`, `cpu: arm64`), so foreign-platform binaries are skipped without even downloading them [#​11702](https://redirect.github.com/pnpm/pnpm/issues/11702). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://openai.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/openai_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/openai_light.svg" /> <img src="https://pnpm.io/img/users/openai_dark.svg" width="160" alt="OpenAI" /> </picture> </a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.9`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.9) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.8...v4.1.9) ##### 🐞 Bug Fixes - Fix `importOriginal` with optimizer and query import \[backport to v4] - by **Hiroshi Ogawa**, **David Harris**, **Codex**and **Vladimir** in [#​10546](https://redirect.github.com/vitest-dev/vitest/issues/10546) [<samp>(a5180)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/a5180190c) - **browser**: - Wait for orchestrator readiness before resolving browser sessions \[backport to v4] - by **Vladimir** and **Séamus O'Connor** in [#​10555](https://redirect.github.com/vitest-dev/vitest/issues/10555) [<samp>(7fb29)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/7fb29651a) - Wait for iframe tester readiness before preparing \[backport to v4] - by **Vladimir** and **Séamus O'Connor** in [#​10497](https://redirect.github.com/vitest-dev/vitest/issues/10497) and [#​10556](https://redirect.github.com/vitest-dev/vitest/issues/10556) [<samp>(fbc62)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/fbc626c40) - **mocker**: - Hoist vi.mock() for vite-plus/test imports \[backport to v4] - by **Hiroshi Ogawa**, **LongYinan**, **Claude Opus 4.8** and **Vladimir** in [#​10548](https://redirect.github.com/vitest-dev/vitest/issues/10548) [<samp>(2c955)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/2c9559c02) - **pool**: - Prevent test run hang on worker crash \[backport to v4] - by **Ari Perkkiö** and **Jattioui Ismail** in [#​10543](https://redirect.github.com/vitest-dev/vitest/issues/10543) and [#​10564](https://redirect.github.com/vitest-dev/vitest/issues/10564) [<samp>(934b0)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/934b0f587) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.8...v4.1.9) </details> <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.38`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3538-2026-06-11) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.37...v3.5.38) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.5`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#335-2026-06-13) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.4...v3.3.5) ##### language-core - **fix:** include event modifiers in duplicate listener checks ([#​6097](https://redirect.github.com/vuejs/language-tools/issues/6097)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
bircni
|
649cb6ff3e |
fix(actions): show run index in run view and fix summary graph height (#38165)
- Display the per-repository run number as `#N` next to the run title in the run view, matching the runs list and GitHub - Add the run `Index` to the run view API response (and the devtest mock) to support that - Restore the summary panel's `flex: 1` so the workflow graph fills the right-column height even when a run has no job summaries - Keep the job-summary section content-sized so it doesn't compete with the graph for height - Gate the devtest mock job summaries to a subset of runs so the devtest page also exercises the no-summary layout <img width="521" height="232" alt="image" src="https://github.com/user-attachments/assets/a1f2f20b-65bd-4d98-ba6a-b8135580a6de" /> |
||
|
puni9869
|
a4781dde89 |
fix(indexer): fix assignee filters in issue search (#38021)
fix(indexer): fix assignee filters in issue search (#38021) Issue search filtering still relied on the legacy single-assignee field, so searches such as "Assigned to you" could miss issues when a keyword query was used. Index all issue assignee IDs and add an explicit no_assignee field so specific, any-assignee, and no-assignee filters work consistently across Bleve, Elasticsearch, and Meilisearch. Fixes #36299. |
||
|
bircni
|
7684221ed4 |
feat(actions): implement jobs.<job_id>.continue-on-error (#38100)
Support `continue-on-error` for workflow jobs when aggregating an Actions workflow run status. Previously, `continue-on-error` was parsed from workflow YAML but was not persisted or used when calculating the overall run result. As a result, a failed job could incorrectly fail the entire workflow even when the workflow explicitly allowed that job to fail. This PR stores the parsed `continue-on-error` value on each action run job and treats failed jobs with `continue-on-error: true` as successful when computing the workflow run status, matching GitHub Actions behavior. ## Changes - Add `ContinueOnError` to `jobparser.Job`. - Add `continue_on_error` to `ActionRunJob` with a `NOT NULL DEFAULT FALSE` migration. - Populate `ActionRunJob.ContinueOnError` when creating workflow run jobs. - Update workflow status aggregation so failed `continue-on-error` jobs do not fail the overall run. - Leave `resolveCheckNeeds` unchanged so dependent jobs still see the job result as `failure` and are skipped by default. ## Compatibility This is backward compatible. If only the runner or only the server is updated, `continue-on-error` continues to degrade to the previous behavior and is effectively ignored until both sides support it. Related runner PR: https://gitea.com/gitea/runner/pulls/1032 --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
Giteabot
|
2c2611eab9 |
chore(deps): update dependency djlint to v1.39.2 (#38192)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.39.0` → `==1.39.2` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.2`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1392---2026-06-11) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.39.0...v1.39.2) v1.39.1 was not published due to mypyc compilation error. ##### Packaging - Fix mypyc compilation. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
685b62c60f | fix(api): don't expose private org membership via public_members (#38145) | ||
|
Lunny Xiao
|
e5891263f8 |
docs: update changelog for 1.26.3 & 1.26.4 (#38178)
Front port changelog for 1.26.3 & 1.26.4 --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
180af33f86 |
perf: Various performance regression fixes (#38078)
Fixes five N+1 / O(n) query patterns found across common user paths.
Each uses a bulk query that already existed elsewhere in the codebase.
| Location | Problem | Introduced in |
| -------------------------------- |
-------------------------------------------------------------------------------------------------------------------------------
| ------------- |
| `IssueList.LoadIsRead` | `.In("issue_id")` missing its arg — xorm
generates `WHERE 0=1`, so `IsRead` is **never** set; every issue always
appears unread | #29515 |
| `ParseCommitsWithStatus` | `GetLatestCommitStatus` called once per
commit (O(n) queries on commit list / PR commits tab) | #33605 |
| `getReleaseInfos` (release list) | `GetLatestCommitStatus` called once
per release for CI badges | #29149 |
| User milestone dashboard | O(n×m) nested loop matching milestones to
repos | #26300 |
| `findCodeComments` (PR diff) | `LoadResolveDoer` + `LoadReactions`
called per inline comment — up to ~150 queries on a PR with 50 comments
| #20821 |
---------
Co-authored-by: Lauris B <lauris@nix.lv>
|
||
|
wxiaoguang
|
ceec230fc0 |
fix: walk git log context error handling (#38182)
Fix #38177 Make WalkGitLog can handle EOF and context errors correctly, and don't export these private functions & methods & structs. |
||
|
silverwind
|
804b9bf120 |
chore: upgrade eslint plugins, remove eslint-plugin-github (#38046)
- Bump `eslint`, `typescript-eslint` and `eslint-plugin-unicorn` (to v68), and configure the rules added in unicorn v66/v67/v68. - Remove `eslint-plugin-github` and its workarounds (rules, type stub, pnpm peer override, in-code `eslint-disable` comments); the rules worth keeping are covered by `unicorn` equivalents. - Apply the resulting fixes and autofixes across the JS codebase. _Prepared with Claude (Opus 4.8)._ --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
5368542f8e | fix(cli): default must-change-password to false for bot users (#38175) | ||
|
TheFox0x7
|
645b10087d |
fix(hostmacher): patch incorrect private list (#38170)
regression from #38039 |
||
|
SEONGHYUN HONG
|
a12f980793 |
docs: fix duplicated word in foreachref doc comment (#38161)
The Format doc comment read "See See git-for-each-ref(1)" — removed the duplicated "See" (the sibling field comments use a single "See"). Signed-off-by: s3onghyun <s3onghyun.hong@gmail.com> |
||
|
wxiaoguang
|
21bcca798b |
fix: csp (#38162)
ref: https://github.com/go-gitea/gitea/issues/8707#issuecomment-4741577316 |
||
|
fwag
|
9c82394315 |
fix: Fix issue target branch selection for non-collaborators (#36916)
This PR fixes a bug in the UI that prevented non-collaborator users (the issue poster or creator) from setting the target branch (ref) of an issue. The backend API already supports this, but the UI was rigidly disabling the dropdown based only on collaborator status. Changes: - Enable the branch selector for the issue poster and during new issue creation. - Fix a typo (.IsIssueWriter -> .IsIssuePoster) that was preventing the reference update URL from being correctly set for posters. |
||
|
silverwind
|
de83393487 |
refactor: replace legacy delete-button with link-action (#38143)
Removes the legacy `delete-button` handler (`initGlobalDeleteButton`) and migrates all remaining usages to `link-action` and `show-modal` / `form-fetch-action`. Two handlers are adjusted for the new request shape: webauthn key delete reads `id` from the query, and account deletion returns `JSONError` on validation failure. A E2E test ist added to cover one of the use cases. Suggested in https://github.com/go-gitea/gitea/pull/38046#discussion_r3414936737. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Lunny Xiao
|
64f3796567 |
fix: Fix the panic when ssh remote lfs endpoint parsing failure (#38026)
Fix #38016 |
||
|
bircni
|
240d0efa7e |
perf: extend action c_u index to include created_unix for faster dashboard feeds (#38076)
Adds `created_unix` as the third column of the `c_u` composite index on the `action` table, changing it from `(user_id, is_deleted)` to `(user_id, is_deleted, created_unix)`. Migration 337 drops and recreates the index. No data is touched. ## Root causes #32333 introduced the `c_u` index to speed up dashboard queries, but defined it as `(user_id, is_deleted)` — without `created_unix`. #3368 The simple query is now efficient enough for the database to actually use `c_u`, but because `created_unix` is absent from the index, the database must load and sort **every** matching row before returning the first page of 20. The existing `c_u_d` index `(created_unix, user_id, is_deleted)` does not help because its leading column is `created_unix`, which can't be used for an equality seek on `user_id`. Those two caused this issue: https://github.com/go-gitea/gitea/issues/38075 With the fix, the database seeks directly to `(user_id=X, is_deleted=false)` and walks `created_unix` in descending order, stopping after 20 rows. Fixes https://github.com/go-gitea/gitea/issues/38075 |
||
|
bircni
|
68692e19d4 |
fix: Various security fixes (#38103)
- Enforce org visibility on organization label read endpoints (private org labels no longer leak to non-members). - Block fork sync (`merge-upstream`) when the base repo is no longer readable (stops pulling commits after a parent goes private). - Remove `REVERSE_PROXY_LIMIT` / `REVERSE_PROXY_TRUSTED_PROXIES` from the Docker `app.ini` templates (the `= *` default allowed `X-WEBAUTH-USER` impersonation; reverse-proxy auth is now opt-in and admin-configured). - Enforce single-use TOTP passcodes across web login, password-reset, and Basic-Auth `X-Gitea-OTP` (fixes a TOCTOU race and a stateless replay). - Re-check branch write permission for every ref in a push (the pre-receive hook cached the first ref's result, letting a per-branch maintainer-edit grant escalate to full repo write). --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
c68925152b |
docs: add development setup guide (#37960)
Moves the "Hacking on Gitea" page out of the documentation website and into the repository as `docs/development.md`, so contributors find build and test instructions next to the code. The content has been cleaned up and corrected for in-repo use. --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
bircni
|
9e84deb969 |
fix: Various sec fixes 2 (#38108)
- Enforce repository token scope on RSS/Atom feed endpoints so a PAT without repo scope can no longer read private repo commit data. - Block HTTP redirects during repository migration clones to prevent SSRF reaching internal addresses via an attacker-controlled redirect. - Redact the notification subject after repo access is revoked so private issue/PR metadata is no longer leaked through the notification API. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
GiteaBot
|
795531cea0 | [skip ci] Updated translations via Crowdin | ||
|
Lunny Xiao
|
0be7543560 |
fix(mssql): expand legacy issue and comment long-text columns (#38120)
## Summary This fixes pull request creation failures on upgraded MSSQL instances where legacy `issue` and `comment` long-text columns are still limited to `nvarchar(4000)`. When a PR is created, Gitea stores a pull request push timeline comment containing JSON with `commit_ids`. For PRs with many commits, that payload can exceed 4000 characters and MSSQL rejects the insert with: > String or binary data would be truncated in table 'comment', column 'content' This change adds a migration that expands the affected legacy MSSQL columns to `NVARCHAR(MAX)`. The previous migration in models/migrations/v1_16/v191.go only applies to MySQL, not MSSQL. migration now skips columns already using NVARCHAR(MAX) / VARCHAR(MAX) Closes #37893 ## Changes - add migration `338` for MSSQL-only long-text expansion - expand: - `issue.content` - `comment.content` - `comment.patch` - add an MSSQL regression test that starts from a legacy `VARCHAR(4000)` schema and verifies inserts larger than 4000 characters succeed after migration ## Why this approach The current model already declares these fields as `LONGTEXT`, so the bug is caused by stale upgraded MSSQL schemas rather than by PR creation logic itself. Fixing the schema is the smallest and safest change, and also prevents similar truncation issues for other long issue/comment content. |
