mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-22 19:19:57 +00:00
e03425b98605210b7efb5448bb357ed67cff2a36
21031 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Giteabot
|
e03425b986 | fix(deps): update go dependencies | ||
|
Royce Remer
|
736ab982c8 |
enhance: allow builtin default git config options to be overridden (#38172)
This is really a follow-up to [#38148](https://github.com/go-gitea/gitea/pull/35305) , instead of having specific mappings of options for git configurations, just honor any user-provided gitconfig. I include a test which points out the specific config I have which was previously not honored, but more generally this means that gitea now only *adds* new gitconfig and never overwrites any config provided under `[git.config]`. --------- Signed-off-by: Royce Remer <royceremer@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
08a18d36a6 | [skip ci] Updated translations via Crowdin | ||
|
Giteabot
|
8a6697123f |
chore(deps): update action dependencies (#38191)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [crowdin/github-action](https://redirect.github.com/crowdin/github-action) | action | patch | `v2.16.2` → `v2.16.3` | | [pnpm/action-setup](https://redirect.github.com/pnpm/action-setup) | action | patch | `v6.0.8` → `v6.0.9` | --- ### Release Notes <details> <summary>crowdin/github-action (crowdin/github-action)</summary> ### [`v2.16.3`](https://redirect.github.com/crowdin/github-action/releases/tag/v2.16.3) [Compare Source](https://redirect.github.com/crowdin/github-action/compare/v2.16.2...v2.16.3) #### What's Changed - CLI [4.14.3](https://redirect.github.com/crowdin/crowdin-cli/releases/tag/4.14.3) by [@​andrii-bodnar](https://redirect.github.com/andrii-bodnar) **Full Changelog**: <https://github.com/crowdin/github-action/compare/v2.16.2...v2.16.3> </details> <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6.0.9`](https://redirect.github.com/pnpm/action-setup/releases/tag/v6.0.9) [Compare Source](https://redirect.github.com/pnpm/action-setup/compare/v6.0.8...v6.0.9) ##### What's Changed - fix: update pnpm to v11.7.0 by [@​zkochan](https://redirect.github.com/zkochan) in [#​267](https://redirect.github.com/pnpm/action-setup/pull/267) **Full Changelog**: <https://github.com/pnpm/action-setup/compare/v6...v6.0.9> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Giteabot
|
2cd4506120 |
fix(deps): update npm dependencies (#38193)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/search | [`6.7.0` → `6.7.1`](https://renovatebot.com/diffs/npm/@codemirror%2fsearch/6.7.0/6.7.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.60.0` → `1.61.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.60.0/1.61.0) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.2` → `20.10.5`](https://renovatebot.com/diffs/npm/happy-dom/20.10.2/20.10.5) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.3` → `11.7.0`](https://renovatebot.com/diffs/npm/pnpm/11.5.3/11.7.0) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.8` → `4.1.9`](https://renovatebot.com/diffs/npm/vitest/4.1.8/4.1.9) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.37` → `3.5.38`](https://renovatebot.com/diffs/npm/vue/3.5.37/3.5.38) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.4` → `3.3.5`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.4/3.3.5) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.61.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.61.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.60.0...v1.61.0) #### 🔑 WebAuthn passkeys New [Credentials](https://playwright.dev/docs/api/class-credentials) virtual authenticator, available via [browserContext.credentials](https://playwright.dev/docs/api/class-browsercontext#browser-context-credentials), lets tests register passkeys and answer `navigator.credentials.create()` / `navigator.credentials.get()` ceremonies in the page — no real hardware key required, works in all browsers: ```js const context = await browser.newContext(); // Seed a passkey your backend provisioned for a test user. await context.credentials.create('example.com', { id: credentialId, userHandle, privateKey, publicKey, }); await context.credentials.install(); const page = await context.newPage(); await page.goto('https://example.com/login'); // The page's navigator.credentials.get() is answered with the seeded passkey. ``` You can also let the app register a passkey once in a setup test, read it back with [credentials.get()](https://playwright.dev/docs/api/class-credentials#credentials-get), and seed it into later tests — see [Credentials](https://playwright.dev/docs/api/class-credentials) for details. #### 🗃️ Web Storage New [WebStorage](https://playwright.dev/docs/api/class-webstorage) API, available via [page.localStorage](https://playwright.dev/docs/api/class-page#page-local-storage) and [page.sessionStorage](https://playwright.dev/docs/api/class-page#page-session-storage), reads and writes the page's storage for the current origin: ```js await page.localStorage.setItem('token', 'abc'); const token = await page.localStorage.getItem('token'); const items = await page.sessionStorage.items(); ``` #### New APIs ##### Network - [apiResponse.securityDetails()](https://playwright.dev/docs/api/class-apiresponse#api-response-security-details) and [apiResponse.serverAddr()](https://playwright.dev/docs/api/class-apiresponse#api-response-server-addr) mirror the browser-side [response.securityDetails()](https://playwright.dev/docs/api/class-response#response-security-details) and [response.serverAddr()](https://playwright.dev/docs/api/class-response#response-server-addr). ##### Browser and Screencast - New option `artifactsDir` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) controls where artifacts such as traces and downloads are stored when attached to an existing browser. - New option `cursor` in [screencast.showActions()](https://playwright.dev/docs/api/class-screencast#screencast-show-actions) controls the cursor decoration rendered for pointer actions. - The `onFrame` callback in [screencast.start()](https://playwright.dev/docs/api/class-screencast#screencast-start) now receives a `timestamp` of when the frame was presented by the browser. ##### Test runner - The [testOptions.video](https://playwright.dev/docs/api/class-testoptions#test-options-video) option now supports the same set of modes as `trace`: new `'on-all-retries'`, `'retain-on-first-failure'` and `'retain-on-failure-and-retries'` values. See the [video modes table](https://playwright.dev/docs/test-use-options#video-modes) for which runs are recorded and kept in each mode. - Supported `expect.soft.poll(...)`. - New [fullConfig.argv](https://playwright.dev/docs/api/class-fullconfig#full-config-argv) — a snapshot of `process.argv` from the runner process, handy for reading custom arguments passed after the `--` separator. - New [fullConfig.failOnFlakyTests](https://playwright.dev/docs/api/class-fullconfig#full-config-fail-on-flaky-tests) mirrors the config option, so reporters can explain why a flaky run failed. - [testInfo.errors](https://playwright.dev/docs/api/class-testinfo#test-info-errors) now lists each sub-error of an `AggregateError` as a separate entry. - New `-G` command line shorthand for `--grep-invert`. #### 🛠️ Other improvements - Playwright now supports Ubuntu 26.04. - HAR and trace recordings now include WebSocket requests. #### Browser Versions - Chromium 149.0.7827.55 - Mozilla Firefox 151.0 - WebKit 26.5 This version was also tested against the following stable channels: - Google Chrome 149 - Microsoft Edge 149 </details> <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.5`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.5) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.4...v20.10.5) ##### :construction\_worker\_man: Patch fixes - Adds cache to query selector parser - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​2142](https://redirect.github.com/capricorn86/happy-dom/issues/2142) - The selector parser degraded in performance in v20.6.3 to solve more complex selectors - Parsing is still a bit slower, but the cache will hopefully mitigate most of the problem ### [`v20.10.4`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.4) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.3...v20.10.4) ##### :construction\_worker\_man: Patch fixes - Coerce null qualifiedName to empty string in createDocument - By **[@​Firer](https://redirect.github.com/Firer)** in task [#​2206](https://redirect.github.com/capricorn86/happy-dom/issues/2206) ### [`v20.10.3`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.3) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.2...v20.10.3) ##### :construction\_worker\_man: Patch fixes - Fix "\~=" attribute selector matching hyphenated substrings in CSS selectors - By **[@​mixelburg](https://redirect.github.com/mixelburg)** in task [#​2194](https://redirect.github.com/capricorn86/happy-dom/issues/2194) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.7.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v11.7.0): pnpm 11.7 [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.6.0...v11.7.0) #### Minor Changes - Added a new setting `frozenStore` (`--frozen-store`) that lets `pnpm install` run against a package store on a read-only filesystem (e.g. a Nix store, a read-only bind mount, an OCI layer). When enabled, pnpm opens the store's SQLite `index.db` through the `immutable=1` URI — bypassing the WAL/`-shm` sidecar creation that otherwise fails on a read-only directory — and suppresses every store-write path (the `index.db` writer and the project-registry write). Pair it with `--offline --frozen-lockfile` against a fully-populated store. Under the global virtual store, package directories live inside the store, so if the store is missing the build output of a package whose lifecycle scripts are approved (or that has a patch), pnpm fails up front with `ERR_PNPM_FROZEN_STORE_NEEDS_BUILD` rather than crashing mid-build on a read-only write — seed the store with those builds first. Incompatible with `--force` and with a configured pnpr server, since both write into the store; the side-effects cache is likewise not written under `frozenStore`. If the store is missing its content directory, the install fails fast with `ERR_PNPM_FROZEN_STORE_INCOMPLETE` rather than attempting to initialize it. The read-only `immutable=1` open requires Node.js >=22.15.0, >=23.11.0, or >=24.0.0; on older runtimes `--frozen-store` fails with a clear `ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE` error. Bin-linking also tolerates a read-only store: under the global virtual store a package's bin source lives inside the store, so the `chmod` that makes it executable would be refused — with `EPERM`/`EACCES`, or with `EROFS` on a genuinely read-only filesystem. That `chmod` is redundant when the seed already ships its bins executable with a normalized shebang, so it is now skipped in that case, while a non-executable bin (or one still carrying a Windows CRLF shebang) on a read-only store still errors. - When [`pacquet`](https://redirect.github.com/pnpm/pnpm/tree/main/pacquet) (the Rust port of pnpm) is declared in `configDependencies`, pnpm now delegates dependency **resolution** to it too — not just materialization — provided the installed pacquet is new enough to support full resolving installs (>= 0.11.7). Previously pacquet only ran in frozen-install mode: pnpm always resolved the dependency graph itself (writing `pnpm-lock.yaml`) and handed pacquet a finished lockfile to fetch / import / link. With pacquet >= 0.11.7, a non-frozen `pnpm install` (default isolated `nodeLinker`, plain install) is delegated to pacquet end-to-end in a single pass — pacquet resolves the manifests, writes the lockfile, and materializes `node_modules`. pnpm detects the capability from the installed pacquet's version; older pacquet releases keep the resolve-then-materialize split, and `add` / `update` / `remove` still resolve in pnpm (it has to mutate the manifests first). This remains an opt-in preview of the Rust install engine [#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723). - Added a new opt-in `--batch` flag to `pnpm publish --recursive` that sends all selected packages to the registry in a single `PUT /-/pnpm/v1/publish` request instead of one request per package. The target registry has to implement the batch publish endpoint (pnpr does); registries that don't are reported with a clear `ERR_PNPM_BATCH_PUBLISH_UNSUPPORTED` error. The batch is processed all-or-nothing by pnpr: if any package in the batch fails validation, none of the packages are published. #### Patch Changes - Reject path-traversal and reserved dependency aliases (such as `../../../escape`, `.bin`, `.pnpm`, or `node_modules`) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted `node_modules` directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout. The fix adds two layers: - The `nodeLinker: hoisted` graph builder now validates each alias at the directory sink (`safeJoinModulesDir`), matching the validation pnpm already performs when resolving aliases from manifests. - The lockfile verification gate (`verifyLockfileResolutions`) now runs an always-on, policy-independent check that rejects any importer or snapshot dependency alias that is not a valid package name, failing the install early — before any fetch or filesystem work — for every node linker at once. - Made shared package child resolution deterministic when the same package is reached through multiple contexts. pnpm now chooses the shallowest occurrence, then importer order, then parent path, instead of letting request timing decide the child context and missing-peer report [pnpm/pnpm#12358](https://redirect.github.com/pnpm/pnpm/issues/12358). - Fix garbled summary line after submitting `pnpm update -i` and `pnpm audit --fix -i`. The interactive checkbox prompt previously printed every selected choice's full table row (label, current/target versions, workspace, URL) joined by commas, producing a wall of text after pressing Enter. The summary now lists only the selected package names (or vulnerability keys) by setting an explicit `short` per choice; the in-progress selection UI is unchanged. - Prevent `pnpm patch-remove` from removing files outside the configured patches directory. - Fixed `pnpm publish` ignoring `strictSsl: false` when publishing to registries with self-signed certificates. The `strictSSL` option is now forwarded to `libnpmpublish` / `npm-registry-fetch` so that `strict-ssl=false` in `.npmrc` or `strictSsl: false` in `pnpm-workspace.yaml` is respected during publish, the same way it is for `pnpm install` [pnpm/pnpm#12012](https://redirect.github.com/pnpm/pnpm/issues/12012). - Fixed `Cannot destructure property 'manifest' of 'manifestsByPath[rootDir]' as it is undefined` regression introduced in 11.6.0 when running `pnpm add <pkg>` outside a workspace on Windows. `selectProjectByDir` was keying the resulting `ProjectsGraph` by `opts.dir` instead of `project.rootDir`, so downstream `manifestsByPath` lookups missed when the two paths normalized differently (typically drive-letter casing). [pnpm/pnpm#12379](https://redirect.github.com/pnpm/pnpm/issues/12379) - Git dependencies that point to a subdirectory of a repository (`repo#commit&path:/sub/dir`) keep their `path` in the lockfile again. Since the integrity of git-hosted tarballs started being pinned in the lockfile, any install that actually downloaded the tarball rebuilt the lockfile resolution as `{ integrity, tarball, gitHosted }` and dropped the `path` field, while installs served from the store kept it — so the field disappeared seemingly at random. Without `path`, later installs from that lockfile silently unpacked the repository root instead of the subdirectory [#​12304](https://redirect.github.com/pnpm/pnpm/issues/12304). - Fixed nondeterministic lockfile output that made `pnpm dedupe --check` fail intermittently in CI. When a locked peer provider was pinned for a dependency that has no child dependencies of its own, the pinned provider leaked into the shared parent scope, so siblings resolved after it could pick up an optional peer they should not see. Which siblings were affected depended on resolution order, which varies with network timing. - Sped up `pnpm install` with a frozen lockfile by running lockfile verification (the policy revalidation gate added for `minimumReleaseAge`/`trustPolicy` and the tarball-URL anti-tamper check) concurrently with fetching and linking instead of blocking the whole install on it. Dependency lifecycle scripts are still held back until verification succeeds, so no script runs on an unverified lockfile: if verification fails the install aborts before any dependency build, and if linking finishes first the install waits for the verification verdict before completing. - User-defined `npm_config_*` environment variables are now preserved during lifecycle script execution. Previously, all `npm_`-prefixed env vars were stripped, which caused user-set variables like `npm_config_platform_arch` to be lost [pnpm/pnpm#12399](https://redirect.github.com/pnpm/pnpm/issues/12399). - pnpm can now use different auth tokens for different package scopes, even when those scopes use the same registry URL. Previously, auth was selected only by registry URL. If `@org-a` and `@org-b` both used `https://npm.pkg.github.com/`, they had to share the same token. This caused problems for registries that issue tokens per organization or per scope. Configure a scope-specific token by adding the package scope after the registry URL in the auth key: ```ini @​org-a:registry=https://npm.pkg.github.com/ @​org-b:registry=https://npm.pkg.github.com/ //npm.pkg.github.com/:@​org-a:_authToken=${ORG_A_TOKEN} //npm.pkg.github.com/:@​org-b:_authToken=${ORG_B_TOKEN} //npm.pkg.github.com/:_authToken=${FALLBACK_TOKEN} ``` `pnpm login --registry=https://npm.pkg.github.com --scope=@​org-a` writes the token to the same scope-specific auth key. When installing or publishing `@org-a/*`, pnpm uses `ORG_A_TOKEN`. For `@org-b/*`, pnpm uses `ORG_B_TOKEN`. Packages without a matching scope continue to use the registry-wide fallback token. - `pnpm setup` no longer prompts to approve build scripts for `@pnpm/exe` when installing the standalone executable. pnpm links the platform-specific binary itself, so the package's install scripts are skipped during the global self-install [#​12377](https://redirect.github.com/pnpm/pnpm/issues/12377). - Close lockfile reads deterministically before rewriting lockfiles and keep pacquet's virtual store directory length aligned with pnpm on Windows. - A `304 Not Modified` answer from the registry now renews the cached metadata file's mtime, so the `minimumReleaseAge` freshness shortcut keeps serving resolutions from the cache. Previously, once a cached packument grew older than `minimumReleaseAge`, every subsequent install re-validated it against the registry forever, because a 304 never rewrites the file. - Updated dependency ranges. Notably: - `@pnpm/logger` peer dependency range moved to `^1100.0.0`. - `msgpackr` 1.11.8 → 2.0.4 (store index files remain byte-compatible in both directions). - `open` ^7.4.2 → ^11.0.0, `memoize` ^10 → ^11, `cli-truncate` ^5 → ^6, `pidtree` ^0.6 → ^1. - `@yarnpkg/core` 4.5.0 → 4.8.0, `@rushstack/worker-pool` 0.7.7 → 0.7.18, `@cyclonedx/cyclonedx-library` 10.0.0 → 10.1.0, `@pnpm/config.nerf-dart` ^1 → ^2, `@pnpm/log.group` 3.0.2 → 4.0.1, `@pnpm/util.lex-comparator` ^3 → ^4. - Updated `@zkochan/cmd-shim` to v9.0.6. - Fixed a Windows-only hang where a failed command could take 20–46 seconds to exit. On error, pnpm enumerates descendant processes (via `pidtree`) to terminate them, which on Windows shells out to `wmic`/PowerShell `Get-CimInstance Win32_Process` — a lookup that is extremely slow on some machines. The lookup is now bounded by a short timeout so it can no longer stall the process exit. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://openai.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/openai_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/openai_light.svg" /> <img src="https://pnpm.io/img/users/openai_dark.svg" width="160" alt="OpenAI" /> </picture> </a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v11.6.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v11.6.0): pnpm 11.6 [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.3...v11.6.0) ##### ⚠️ Security fix — environment variables in a project `.npmrc` (action may be required) Following [GHSA-3qhv-2rgh-x77r](https://redirect.github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r), pnpm no longer expands `${ENV_VAR}` placeholders that come from a **repository-controlled** config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to: - the project/workspace `.npmrc` — `registry`, `@scope:registry`, proxy URLs, URL-scoped keys (`//host/…`), and credential values (`_authToken`, `_auth`, `_password`, `username`, `tokenHelper`, `cert`, `key`); - registry URLs in `pnpm-workspace.yaml`. Environment variables are **still** expanded in trusted config: your user-level `~/.npmrc`, the global config, CLI options, and environment config. **If your authentication broke after upgrading**, move the token out of the committed `.npmrc`: ```sh # Writes to your user/global config, not the repository: pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN" ``` Or keep the `${NPM_TOKEN}` line but put it in your user-level `~/.npmrc` instead of the repo. In **GitHub Actions**, `actions/setup-node` with `registry-url` already writes a user-level `.npmrc`, so `NODE_AUTH_TOKEN` keeps working. For other CI where editing each pipeline is hard, set `PNPM_CONFIG_NPMRC_AUTH_FILE=.npmrc` (or `NPM_CONFIG_USERCONFIG=.npmrc`) in the CI environment to declare the project `.npmrc` trusted. See <https://pnpm.io/npmrc> for full migration details. #### Minor Changes - `pnpm install` completes without re-resolving when `pnpm-lock.yaml` was deleted but `node_modules` is intact: the up-to-date check now treats the current lockfile (`node_modules/.pnpm/lock.yaml`) — the record of what the previous install materialized — as the wanted lockfile, verifies the manifests still match it, restores `pnpm-lock.yaml` from it, and reports "Already up to date". Previously this scenario triggered a full resolution and a re-verification of every locked package against the registry. - [`615c669`](https://redirect.github.com/pnpm/pnpm/commit/615c669): Added support for configuring URL-scoped registry settings through `npm_config_//…` and `pnpm_config_//…` environment variables, for example: ```text npm_config_//registry.npmjs.org/:_authToken=<token> pnpm_config_//registry.npmjs.org/:_authToken=<token> ``` This provides a file-free way to supply registry authentication. Because the registry a value applies to is encoded in the (trusted) environment variable name, it is host-scoped by construction and cannot be redirected to another registry by repository-controlled config. The environment value is treated as trusted config: it takes precedence over a project/workspace `.npmrc` but is still overridden by command-line options. When the same key is provided through both prefixes, `pnpm_config_` wins. - Raised the default network concurrency from `min(64, max(cpuCores * 3, 16))` to `min(96, max(cpuCores * 3, 64))`. Package downloads are I/O-bound, not CPU-bound, so deriving the floor from the core count left machines with few cores (for example 4-vCPU CI runners) downloading only 16 tarballs at a time and unable to saturate a low-latency registry. The `networkConcurrency` setting still overrides the default. #### Patch Changes - Improved the warning printed when a project `.npmrc` uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by moving the line to the user-level `~/.npmrc` or running `pnpm config set "<key>" <value>` — with a link to <https://pnpm.io/npmrc>. The `pnpm config set` example is only suggested when the key has no `${...}` placeholder, so the snippet is always safe to copy-paste. - Print a "Lockfile passes supply-chain policies (verified 2h ago)" message when lockfile verification is skipped because a cached verdict for the same lockfile content and policy is reused. Previously the cached short-circuit was completely silent, which made it look like the policy gate never ran [#​12324](https://redirect.github.com/pnpm/pnpm/issues/12324). - Platform-specific optional dependencies are now skipped even when their `os`/`cpu`/`libc` fields are missing from the registry metadata or the lockfile. Some registries strip these fields from the package metadata, which made pnpm download and install the binaries of every platform regardless of `supportedArchitectures`. The missing platform fields of an optional dependency are now inferred from its name (e.g. `@nx/nx-win32-arm64-msvc` → `os: win32`, `cpu: arm64`), so foreign-platform binaries are skipped without even downloading them [#​11702](https://redirect.github.com/pnpm/pnpm/issues/11702). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://openai.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/openai_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/openai_light.svg" /> <img src="https://pnpm.io/img/users/openai_dark.svg" width="160" alt="OpenAI" /> </picture> </a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.9`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.9) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.8...v4.1.9) ##### 🐞 Bug Fixes - Fix `importOriginal` with optimizer and query import \[backport to v4] - by **Hiroshi Ogawa**, **David Harris**, **Codex**and **Vladimir** in [#​10546](https://redirect.github.com/vitest-dev/vitest/issues/10546) [<samp>(a5180)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/a5180190c) - **browser**: - Wait for orchestrator readiness before resolving browser sessions \[backport to v4] - by **Vladimir** and **Séamus O'Connor** in [#​10555](https://redirect.github.com/vitest-dev/vitest/issues/10555) [<samp>(7fb29)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/7fb29651a) - Wait for iframe tester readiness before preparing \[backport to v4] - by **Vladimir** and **Séamus O'Connor** in [#​10497](https://redirect.github.com/vitest-dev/vitest/issues/10497) and [#​10556](https://redirect.github.com/vitest-dev/vitest/issues/10556) [<samp>(fbc62)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/fbc626c40) - **mocker**: - Hoist vi.mock() for vite-plus/test imports \[backport to v4] - by **Hiroshi Ogawa**, **LongYinan**, **Claude Opus 4.8** and **Vladimir** in [#​10548](https://redirect.github.com/vitest-dev/vitest/issues/10548) [<samp>(2c955)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/2c9559c02) - **pool**: - Prevent test run hang on worker crash \[backport to v4] - by **Ari Perkkiö** and **Jattioui Ismail** in [#​10543](https://redirect.github.com/vitest-dev/vitest/issues/10543) and [#​10564](https://redirect.github.com/vitest-dev/vitest/issues/10564) [<samp>(934b0)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/934b0f587) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.8...v4.1.9) </details> <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.38`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3538-2026-06-11) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.37...v3.5.38) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.5`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#335-2026-06-13) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.4...v3.3.5) ##### language-core - **fix:** include event modifiers in duplicate listener checks ([#​6097](https://redirect.github.com/vuejs/language-tools/issues/6097)) - Thanks to [@​KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
bircni
|
649cb6ff3e |
fix(actions): show run index in run view and fix summary graph height (#38165)
- Display the per-repository run number as `#N` next to the run title in the run view, matching the runs list and GitHub - Add the run `Index` to the run view API response (and the devtest mock) to support that - Restore the summary panel's `flex: 1` so the workflow graph fills the right-column height even when a run has no job summaries - Keep the job-summary section content-sized so it doesn't compete with the graph for height - Gate the devtest mock job summaries to a subset of runs so the devtest page also exercises the no-summary layout <img width="521" height="232" alt="image" src="https://github.com/user-attachments/assets/a1f2f20b-65bd-4d98-ba6a-b8135580a6de" /> |
||
|
puni9869
|
a4781dde89 |
fix(indexer): fix assignee filters in issue search (#38021)
fix(indexer): fix assignee filters in issue search (#38021) Issue search filtering still relied on the legacy single-assignee field, so searches such as "Assigned to you" could miss issues when a keyword query was used. Index all issue assignee IDs and add an explicit no_assignee field so specific, any-assignee, and no-assignee filters work consistently across Bleve, Elasticsearch, and Meilisearch. Fixes #36299. |
||
|
bircni
|
7684221ed4 |
feat(actions): implement jobs.<job_id>.continue-on-error (#38100)
Support `continue-on-error` for workflow jobs when aggregating an Actions workflow run status. Previously, `continue-on-error` was parsed from workflow YAML but was not persisted or used when calculating the overall run result. As a result, a failed job could incorrectly fail the entire workflow even when the workflow explicitly allowed that job to fail. This PR stores the parsed `continue-on-error` value on each action run job and treats failed jobs with `continue-on-error: true` as successful when computing the workflow run status, matching GitHub Actions behavior. ## Changes - Add `ContinueOnError` to `jobparser.Job`. - Add `continue_on_error` to `ActionRunJob` with a `NOT NULL DEFAULT FALSE` migration. - Populate `ActionRunJob.ContinueOnError` when creating workflow run jobs. - Update workflow status aggregation so failed `continue-on-error` jobs do not fail the overall run. - Leave `resolveCheckNeeds` unchanged so dependent jobs still see the job result as `failure` and are skipped by default. ## Compatibility This is backward compatible. If only the runner or only the server is updated, `continue-on-error` continues to degrade to the previous behavior and is effectively ignored until both sides support it. Related runner PR: https://gitea.com/gitea/runner/pulls/1032 --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
Giteabot
|
2c2611eab9 |
chore(deps): update dependency djlint to v1.39.2 (#38192)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.39.0` → `==1.39.2` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.2`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1392---2026-06-11) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.39.0...v1.39.2) v1.39.1 was not published due to mypyc compilation error. ##### Packaging - Fix mypyc compilation. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
685b62c60f | fix(api): don't expose private org membership via public_members (#38145) | ||
|
Lunny Xiao
|
e5891263f8 |
docs: update changelog for 1.26.3 & 1.26.4 (#38178)
Front port changelog for 1.26.3 & 1.26.4 --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
180af33f86 |
perf: Various performance regression fixes (#38078)
Fixes five N+1 / O(n) query patterns found across common user paths.
Each uses a bulk query that already existed elsewhere in the codebase.
| Location | Problem | Introduced in |
| -------------------------------- |
-------------------------------------------------------------------------------------------------------------------------------
| ------------- |
| `IssueList.LoadIsRead` | `.In("issue_id")` missing its arg — xorm
generates `WHERE 0=1`, so `IsRead` is **never** set; every issue always
appears unread | #29515 |
| `ParseCommitsWithStatus` | `GetLatestCommitStatus` called once per
commit (O(n) queries on commit list / PR commits tab) | #33605 |
| `getReleaseInfos` (release list) | `GetLatestCommitStatus` called once
per release for CI badges | #29149 |
| User milestone dashboard | O(n×m) nested loop matching milestones to
repos | #26300 |
| `findCodeComments` (PR diff) | `LoadResolveDoer` + `LoadReactions`
called per inline comment — up to ~150 queries on a PR with 50 comments
| #20821 |
---------
Co-authored-by: Lauris B <lauris@nix.lv>
|
||
|
wxiaoguang
|
ceec230fc0 |
fix: walk git log context error handling (#38182)
Fix #38177 Make WalkGitLog can handle EOF and context errors correctly, and don't export these private functions & methods & structs. |
||
|
silverwind
|
804b9bf120 |
chore: upgrade eslint plugins, remove eslint-plugin-github (#38046)
- Bump `eslint`, `typescript-eslint` and `eslint-plugin-unicorn` (to v68), and configure the rules added in unicorn v66/v67/v68. - Remove `eslint-plugin-github` and its workarounds (rules, type stub, pnpm peer override, in-code `eslint-disable` comments); the rules worth keeping are covered by `unicorn` equivalents. - Apply the resulting fixes and autofixes across the JS codebase. _Prepared with Claude (Opus 4.8)._ --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
5368542f8e | fix(cli): default must-change-password to false for bot users (#38175) | ||
|
TheFox0x7
|
645b10087d |
fix(hostmacher): patch incorrect private list (#38170)
regression from #38039 |
||
|
SEONGHYUN HONG
|
a12f980793 |
docs: fix duplicated word in foreachref doc comment (#38161)
The Format doc comment read "See See git-for-each-ref(1)" — removed the duplicated "See" (the sibling field comments use a single "See"). Signed-off-by: s3onghyun <s3onghyun.hong@gmail.com> |
||
|
wxiaoguang
|
21bcca798b |
fix: csp (#38162)
ref: https://github.com/go-gitea/gitea/issues/8707#issuecomment-4741577316 |
||
|
fwag
|
9c82394315 |
fix: Fix issue target branch selection for non-collaborators (#36916)
This PR fixes a bug in the UI that prevented non-collaborator users (the issue poster or creator) from setting the target branch (ref) of an issue. The backend API already supports this, but the UI was rigidly disabling the dropdown based only on collaborator status. Changes: - Enable the branch selector for the issue poster and during new issue creation. - Fix a typo (.IsIssueWriter -> .IsIssuePoster) that was preventing the reference update URL from being correctly set for posters. |
||
|
silverwind
|
de83393487 |
refactor: replace legacy delete-button with link-action (#38143)
Removes the legacy `delete-button` handler (`initGlobalDeleteButton`) and migrates all remaining usages to `link-action` and `show-modal` / `form-fetch-action`. Two handlers are adjusted for the new request shape: webauthn key delete reads `id` from the query, and account deletion returns `JSONError` on validation failure. A E2E test ist added to cover one of the use cases. Suggested in https://github.com/go-gitea/gitea/pull/38046#discussion_r3414936737. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Lunny Xiao
|
64f3796567 |
fix: Fix the panic when ssh remote lfs endpoint parsing failure (#38026)
Fix #38016 |
||
|
bircni
|
240d0efa7e |
perf: extend action c_u index to include created_unix for faster dashboard feeds (#38076)
Adds `created_unix` as the third column of the `c_u` composite index on the `action` table, changing it from `(user_id, is_deleted)` to `(user_id, is_deleted, created_unix)`. Migration 337 drops and recreates the index. No data is touched. ## Root causes #32333 introduced the `c_u` index to speed up dashboard queries, but defined it as `(user_id, is_deleted)` — without `created_unix`. #3368 The simple query is now efficient enough for the database to actually use `c_u`, but because `created_unix` is absent from the index, the database must load and sort **every** matching row before returning the first page of 20. The existing `c_u_d` index `(created_unix, user_id, is_deleted)` does not help because its leading column is `created_unix`, which can't be used for an equality seek on `user_id`. Those two caused this issue: https://github.com/go-gitea/gitea/issues/38075 With the fix, the database seeks directly to `(user_id=X, is_deleted=false)` and walks `created_unix` in descending order, stopping after 20 rows. Fixes https://github.com/go-gitea/gitea/issues/38075 |
||
|
bircni
|
68692e19d4 |
fix: Various security fixes (#38103)
- Enforce org visibility on organization label read endpoints (private org labels no longer leak to non-members). - Block fork sync (`merge-upstream`) when the base repo is no longer readable (stops pulling commits after a parent goes private). - Remove `REVERSE_PROXY_LIMIT` / `REVERSE_PROXY_TRUSTED_PROXIES` from the Docker `app.ini` templates (the `= *` default allowed `X-WEBAUTH-USER` impersonation; reverse-proxy auth is now opt-in and admin-configured). - Enforce single-use TOTP passcodes across web login, password-reset, and Basic-Auth `X-Gitea-OTP` (fixes a TOCTOU race and a stateless replay). - Re-check branch write permission for every ref in a push (the pre-receive hook cached the first ref's result, letting a per-branch maintainer-edit grant escalate to full repo write). --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
c68925152b |
docs: add development setup guide (#37960)
Moves the "Hacking on Gitea" page out of the documentation website and into the repository as `docs/development.md`, so contributors find build and test instructions next to the code. The content has been cleaned up and corrected for in-repo use. --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
bircni
|
9e84deb969 |
fix: Various sec fixes 2 (#38108)
- Enforce repository token scope on RSS/Atom feed endpoints so a PAT without repo scope can no longer read private repo commit data. - Block HTTP redirects during repository migration clones to prevent SSRF reaching internal addresses via an attacker-controlled redirect. - Redact the notification subject after repo access is revoked so private issue/PR metadata is no longer leaked through the notification API. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
GiteaBot
|
795531cea0 | [skip ci] Updated translations via Crowdin | ||
|
Lunny Xiao
|
0be7543560 |
fix(mssql): expand legacy issue and comment long-text columns (#38120)
## Summary This fixes pull request creation failures on upgraded MSSQL instances where legacy `issue` and `comment` long-text columns are still limited to `nvarchar(4000)`. When a PR is created, Gitea stores a pull request push timeline comment containing JSON with `commit_ids`. For PRs with many commits, that payload can exceed 4000 characters and MSSQL rejects the insert with: > String or binary data would be truncated in table 'comment', column 'content' This change adds a migration that expands the affected legacy MSSQL columns to `NVARCHAR(MAX)`. The previous migration in models/migrations/v1_16/v191.go only applies to MySQL, not MSSQL. migration now skips columns already using NVARCHAR(MAX) / VARCHAR(MAX) Closes #37893 ## Changes - add migration `338` for MSSQL-only long-text expansion - expand: - `issue.content` - `comment.content` - `comment.patch` - add an MSSQL regression test that starts from a legacy `VARCHAR(4000)` schema and verifies inserts larger than 4000 characters succeed after migration ## Why this approach The current model already declares these fields as `LONGTEXT`, so the bug is caused by stale upgraded MSSQL schemas rather than by PR creation logic itself. Fixing the schema is the smallest and safest change, and also prevents similar truncation issues for other long issue/comment content. |
||
|
Giteabot
|
b7bd222e87 |
fix(deps): update npm dependencies (#38137)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.9.2` → `25.9.3`](https://renovatebot.com/diffs/npm/@types%2fnode/25.9.2/25.9.3) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.35` → `3.5.37`](https://renovatebot.com/diffs/npm/vue/3.5.35/3.5.37) |  |  | --- ### Release Notes <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.37`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3537-2026-06-11) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.36...v3.5.37) ### [`v3.5.36`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3536-2026-06-11) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.35...v3.5.36) ##### Bug Fixes - **compiler-core:** avoid crash on CDATA at the document root ([#​14916](https://redirect.github.com/vuejs/core/issues/14916)) ([0ea17e2]( |
||
|
Lunny Xiao
|
134fcced88 | ci: trigger giteabot maintenance on main pushes (#38135) | ||
|
GiteaBot
|
89d11314f9 | [skip ci] Updated translations via Crowdin | ||
|
Giteabot
|
8ff8422307 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.1 (#38122)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.34.0` → `v0.34.1` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.1`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.1) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.34.0...v0.34.1) go-swagger release 0.34.1 *** Released on 2026 Jun 05 ##### [0.34.1](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.1) - 2026-06-05 Fixed regression on initialisms (codegen) **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.34.0...v0.34.1> 7 commits in this release. *** ##### <!-- 01 -->Fixed bugs - fix(codegen): fixed regression from v0.34.0 : initialisms skipped by [@​fredbi](https://redirect.github.com/fredbi) in [#​3360](https://redirect.github.com/go-swagger/go-swagger/pull/3360) [...]( |
||
|
bircni
|
7997c1ccad |
fix(pull): preserve squash message trailers and additional commit messages (#37954)
* Closes #37950 * Closes #37946 * Fixes https://github.com/go-gitea/gitea/issues/37529 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
metsw24-max
|
0eba0e371f |
fix(packages): validate module version in goproxy ParsePackage (#38104)
**Unvalidated version in goproxy ParsePackage** The module version is read straight from the zip directory path and never checked, so a crafted upload can leave a newline in it; `EnumeratePackageVersions` then writes each stored version on its own line for the `@v/list` endpoint, letting a module advertise fabricated versions to `go` clients. Validated the parsed version with `semver.IsValid` inside the parser, matching the version checks the other package parsers already do. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
Rafail Giavrimis
|
052feee34a |
feat: add raw diff/patch endpoint for repository comparisons (#37632)
## Summary
Adds `GET
/repos/{owner}/{repo}/compare/{basehead}.{diffType:diff|patch}`,
mirroring the existing `/git/commits/{sha}.{diffType}` endpoint but for
comparisons between two arbitrary refs.
The new endpoint streams a raw unified diff or `git format-patch` output
between any two refs:
GET /repos/{owner}/{repo}/compare/main...feature.diff
GET /repos/{owner}/{repo}/compare/v1.0..v1.1.patch
GET /repos/{owner}/{repo}/compare/abc1234...def5678.diff
Resolves #5561, #13416 and #17165.
AI was used while creating this PR. Automated tests were added as per
the contribution policy.
---------
Co-authored-by: bircni <bircni@icloud.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
|
||
|
Giteabot
|
b4cb192fba |
chore(deps): update pnpm to v11.5.3 (#38133)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.2` → `11.5.3`](https://renovatebot.com/diffs/npm/pnpm/11.5.2/11.5.3) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.5.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1153) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.2...v11.5.3) ##### Patch Changes - Stopped expanding environment variables in repository-controlled registry/proxy request destinations and registry credential values from `.npmrc`, and in workspace registry URLs from `pnpm-workspace.yaml`. Move dynamic registry URL and token configuration to trusted user, global, CLI, or environment config. - Resolve package-manager bootstrap dependencies with trusted user or CLI registry and network config, and reject package-manager env-lockfile records that do not use registry package paths with integrity-only resolutions before auto-switch execution. - Avoid writing `packageManagerDependencies` to `pnpm-lock.yaml` when package manager policy is set to `onFail: ignore` or `pmOnFail: ignore` [#​12228](https://redirect.github.com/pnpm/pnpm/issues/12228). - Avoid running dependency-status auto-install when the dependency status is unavailable without a project manifest. - Using the `$` version reference syntax in `overrides` (e.g. `"react": "$react"`) now prints a deprecation warning. The syntax still works, but [catalogs](https://pnpm.io/catalogs) are the recommended way to keep an overridden version in sync with the rest of the workspace. Reference a catalog entry with the `catalog:` protocol instead. - Fixed `pnpm config get globalconfig` to return the global `config.yaml` path again [pnpm/pnpm#11962](https://redirect.github.com/pnpm/pnpm/issues/11962). - Fixed bare `--color` so it does not consume the following CLI flag, allowing command shorthands like `--parallel` to expand correctly and forms like `pnpm --color with current <command>` to dispatch the inner command instead of failing with `MISSING_WITH_CURRENT_CMD`. - Fix `pnpm install` ignoring `enableGlobalVirtualStore` toggle by including it in the workspace state settings check [#​12142](https://redirect.github.com/pnpm/pnpm/issues/12142). - Security: pnpm now verifies the npm registry signature of a package-manager binary before spawning it, so a cloned repository cannot make pnpm download and execute an arbitrary native binary. This covers two paths that select an executable from repository-controlled input: - **pacquet install engine** — declaring `pacquet` (or `@pnpm/pacquet`) in `configDependencies` opts in to pnpm's Rust install engine. pnpm now verifies that the installed `pacquet` shim and the host's `@pacquet/<platform>-<arch>` binary carry a valid npm registry signature for their exact `name@version`, and refuses to run pacquet (failing the command) if the signature does not verify or cannot be checked. The only graceful fallback to pnpm's own engine is when pacquet has no binary for the current platform. - **automatic version switch / `self-update`** — the `packageManager` / `devEngines.packageManager` field makes pnpm download and run a specific pnpm version. pnpm now verifies the registry signature of `pnpm`, `@pnpm/exe`, and the host platform binary before installing/spawning them, and refuses to run an engine whose signature does not match a published, signed release. The check runs only on an actual download (store cache miss), so it does not add a network round trip to every command. In both cases the signature is verified over the *installed* integrity, against npm's public signing keys that ship embedded in the pnpm CLI (like corepack), so bytes substituted via a tampered lockfile or a repository-controlled registry fail verification — and a registry the user did not vouch for cannot supply its own signing keys. The signed packument is fetched from the configured registry, so an npm mirror works transparently. Verification fails closed: if it cannot be completed (for example, the registry is unreachable), the command fails rather than running an unverified binary. The embedded keys are kept current by a release-time check against npm's signing-keys endpoint. - Made peer-dependent deduplication deterministic. When a peer-suffixed package variant was a subset of two or more mutually incompatible larger variants, the variant it collapsed into depended on the order importers were resolved in, which varies between machines. This could resolve the same workspace to different lockfiles on different platforms and make `pnpm dedupe --check` alternate between passing and failing. - Reject invalid package names and versions from staged tarball manifests before deriving filenames for `pnpm stage download`. - Clarified in CLI help that the pnpm store is trusted shared state and store integrity checks are corruption detection, not a tamper boundary for untrusted store writers. - Reject reserved manifest `bin` names (`""`, `"."`, `".."`, and scoped forms such as `@scope/..`) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted. - Require trusted package identity before package-name `allowBuilds` entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the `allowBuilds` key. Lockfile verification now rejects lockfiles where a registry-style dependency path (`name@semver`) is backed by a git, directory, or git-hosted tarball resolution (`ERR_PNPM_RESOLUTION_SHAPE_MISMATCH`), so the dependency path is a reliable artifact identity by the time scripts can run. - Security: pnpm now verifies the OpenPGP signature of a downloaded Node.js runtime's `SHASUMS256.txt` before trusting its integrity hashes. When a repository requests a Node.js runtime (e.g. via `devEngines.runtime` / `useNodeVersion`), the download mirror is repository-configurable through `node-mirror:<channel>`. The integrity of the downloaded binary was only checked against `SHASUMS256.txt` fetched from that same mirror — a circular check that a malicious mirror could satisfy by serving a tampered binary together with a matching `SHASUMS256.txt`. pnpm then executes the binary (for example to run lifecycle scripts). pnpm now fetches `SHASUMS256.txt.sig` and verifies the detached OpenPGP signature against the Node.js release team's public keys, which ship embedded in the pnpm CLI. A mirror that serves a tampered binary cannot also produce a valid signature, so the download fails to verify. The embedded keys are kept current by a release-time check against the canonical `nodejs/release-keys` list. The musl variants from the hardcoded `unofficial-builds.nodejs.org` mirror are not repository-configurable and are signed by a different key, so they continue to be trusted over TLS. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Giteabot
|
1363b097e2 |
chore(deps): update action dependencies (#38121)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | redis | service | digest | `e74c9b9` → `a505f8b` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.14` → `v46.1.15` | --- ### Release Notes <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.15`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.15) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.14...v46.1.15) ##### Documentation - update references to actions/checkout to v6.0.3 ([#​1033](https://redirect.github.com/renovatebot/github-action/issues/1033)) ([fb473e1]( |
||
|
6543
|
d2186ecd03 | docs: update missed gov docs update (#38131) | ||
|
Giteabot
|
76f8d122fe |
fix(deps): update npm dependencies (#38123)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/lint | [`6.9.6` → `6.9.7`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.6/6.9.7) |  |  | | @​codemirror/view | [`6.43.0` → `6.43.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.43.0/6.43.1) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.28.0` → `19.28.1`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.28.0/19.28.1) |  |  | | [@types/jquery](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/jquery) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jquery)) | [`4.0.0` → `4.0.1`](https://renovatebot.com/diffs/npm/@types%2fjquery/4.0.0/4.0.1) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.9.1` → `25.9.2`](https://renovatebot.com/diffs/npm/@types%2fnode/25.9.1/25.9.2) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.1/8.61.0) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.19` → `1.6.20`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.19/1.6.20) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.1` → `20.10.2`](https://renovatebot.com/diffs/npm/happy-dom/20.10.1/20.10.2) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.1` → `11.5.2`](https://renovatebot.com/diffs/npm/pnpm/11.5.1/11.5.2) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.12.0` → `17.13.0`](https://renovatebot.com/diffs/npm/stylelint/17.12.0/17.13.0) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.1/8.61.0) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.3` → `17.18.0`](https://renovatebot.com/diffs/npm/updates/17.17.3/17.18.0) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.3` → `3.3.4`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.3/3.3.4) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.1`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19281) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.28.0...v19.28.1) ##### Patch Changes - [#​1215](https://redirect.github.com/primer/octicons/pull/1215) [`378d7af0`]( |
||
|
Giteabot
|
4ca706d6a9 |
chore(deps): update dependency djlint to v1.39.0 (#38124)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.36.4` → `==1.39.0` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1390---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.2...v1.39.0) ##### Feature - Add `preserve_class_newlines` / `--preserve-class-newlines` to keep authored line breaks inside multiline `class` attributes. ##### Fix - Fix Django 6.0 `{% partialdef %}` block indentation so `{% endpartialdef %}` aligns with its opener. - Preserve multiline Django/Jinja control-flow blocks instead of condensing short bodies onto one line. - Preserve single-line inline HTML and template tag bodies during expansion, even when they exceed `max_line_length`. ### [`v1.38.2`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1382---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.1...v1.38.2) ##### Fix - Fix `python -m djlint` not working due to mypyc compilation. ### [`v1.38.1`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1381---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.0...v1.38.1) ##### Fix - Match exclude paths on path boundaries. ### [`v1.38.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1380---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.37.0...v1.38.0) ##### Feature - Add support for `.djlint.toml` project and global config files. ##### Fix - Preserve single-line inline HTML tag bodies when they fit within `max_line_length`. - Avoid evaluating template expressions while formatting tag contents. ##### Packaging - Fix npm publish workflow. ### [`v1.37.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1370---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.36.4...v1.37.0) ##### Feature - Add `--format-attribute-js-json` for formatting JavaScript and JSON inside HTML attributes. It also supports `format_attribute_js_json_pattern` and `format_attribute_js_json_min_props` for tuning which attributes are formatted. Thanks, [@​oliverhaas](https://redirect.github.com/oliverhaas). - Add `--github-output` for GitHub Actions annotations. Thanks, [@​iloveitaly](https://redirect.github.com/iloveitaly). ##### Fix - Fix `ignore_blocks` matching when ignored blocks are indented. Thanks, [@​tdryer](https://redirect.github.com/tdryer). - Use relative paths for `--exclude` and `--use-gitignore` matching so path filters work consistently from nested directories. Thanks, [@​satya-waylit](https://redirect.github.com/satya-waylit). - Stop D018/J018 from flagging root links such as `href="/"`. Thanks, [@​SAY-5](https://redirect.github.com/SAY-5). - Do not treat soft hyphen entities as text for H023. Thanks, [@​kotutuloro](https://redirect.github.com/kotutuloro). - Fix Handlebars `{{#unless}}` indentation. Thanks, [@​S1mplePixels](https://redirect.github.com/S1mplePixels). - Fix formatting when `/>` appears inside an HTML attribute value. Thanks, [@​novucs](https://redirect.github.com/novucs). - Improve CPU count handling for worker setup. ##### Performance - Improve formatter caching and reduce cache memory usage. Formatting is about 19% faster. ##### Documentation - Add Chinese translation. Thanks, [@​Twisuki](https://redirect.github.com/Twisuki). - Add Homebrew installation instructions. Thanks, [@​alfawal](https://redirect.github.com/alfawal). - Add EFM Neovim integration documentation. Thanks, [@​danielebra](https://redirect.github.com/danielebra). - Add copy-pastable pre-commit YAML to the README. Thanks, [@​Pierre-Sassoulas](https://redirect.github.com/Pierre-Sassoulas). - Polish linter and CLI documentation. Thanks, [@​jasonaowen](https://redirect.github.com/jasonaowen) and [@​dotWee](https://redirect.github.com/dotWee). ##### Packaging - Drop Python 3.9 support. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
bce6df24b7 | feat(actions): show run status on browser tab favicon (#38071) | ||
|
Karthik Bhandary
|
e70b91d8ec |
chore: center info message for unsupported jupyter notebook versions (#38114)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Lunny Xiao
|
a77edc7ba4 |
chore(actions): Add icon for status filter (#38082)
<img width="352" height="391" alt="image" src="https://github.com/user-attachments/assets/261dd567-49c2-4fc6-a646-5f8641e08192" /> --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
55250407dd |
feat(org): add team visibility so org members can discover teams (#37680)
Closes #37670. Today, org members in Gitea only see teams they're a member of. In larger orgs that hurts onboarding and discoverability — there's no way to look up which team owns what without asking around. GitHub solves this with a per-team visibility setting; this PR brings the same model to Gitea. ## What changes - Every team gets a `visibility` setting: - `private` *(default)* — only team members and org owners can see the team. Same as today's behavior. - `limited` — listable by any member of the organization. Members and the repos the team has access to are visible too. Non-org-members still see nothing. - `public` — listable by any signed-in user. - The Owners team visibility is fixed and cannot be changed via settings. - Existing teams default to `private`, so this is a no-op for anyone who doesn't change anything. ## API - `Team`, `CreateTeamOption`, `EditTeamOption` all gain a `visibility` field (string enum: `private` | `limited` | `public`). - `GET /orgs/{org}/teams` and `/orgs/{org}/teams/search` now apply the same visibility rules as the web UI: - site admins and org owners still see every team - other org members see their own teams plus any `limited` or `public` team - `private` teams are no longer leaked through these endpoints - Swagger/OpenAPI specs regenerated. ## UI View from admin2 (not an owner): <img width="1669" height="726" src="https://github.com/user-attachments/assets/daf4bccb-644b-4426-b178-71963aeaf73b" /> View from admin (owner): <img width="2559" height="863" src="https://github.com/user-attachments/assets/4f22cebc-e9df-4fd2-8ed4-724d31fadb7a" /> --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
techknowlogick
|
80ca22a9ef | chore(deps): bump dockerfile to use Alpine 3.24 (#38077) | ||
|
wxiaoguang
|
47d48eb208 | chore: fix form string abuse (#38106) | ||
|
delvh
|
3417bc8979 | docs: Clarify criteria for becoming a merger (#38113) | ||
|
TheFox0x7
|
c6167d1ff5 |
feat(api): add token introspection and self-deletion endpoint (#37995)
Adds a /api/v1/token endpoint that allows tokens to introspect and delete themselves. partially fixes: https://github.com/go-gitea/gitea/issues/33583 Assisted-by: Mistral Vibe:mistral-medium-3.5 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
b8ef6a91e6 |
docs: Publish TOC Election Result 2026 (#38111)
- Adjusted the wording for what happens on a draw (somehow we managed to get a draw) The new members are: - @delvh - @bircni - @TheFox0x7 Closes #37551 |
||
|
Pycub
|
c7af379672 |
fix(api): nil pointer panic when filtering tracked times by a non-existent user (#38112)
## Problem
`GET /repos/{owner}/{repo}/times` and `GET
/repos/{owner}/{repo}/issues/{index}/times` crash with a nil pointer
dereference when the `user` query filter names a user that does not
exist.
## Root cause
In `ListTrackedTimes` and `ListTrackedTimesByRepository`, the
`IsErrUserNotExist` branch sends the 404 but is missing a `return`, so
execution falls through to `opts.UserID = user.ID` with a nil `user`.
---------
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
Karthik Bhandary
|
e82352f156 |
feat(web): Add Jupyter Notebook (.ipynb) Rendering Support (#37433)
### Summary Closes #37308 Adds native rendering support for Jupyter notebook files (`.ipynb`) in Gitea using backend rendering, allowing users to view formatted notebooks with code cells, markdown, outputs, and visualizations directly in the repository browser. ### Motivation Jupyter notebooks are widely used in data science, machine learning, and scientific computing. Currently, Gitea displays `.ipynb` files as raw JSON, making them difficult to read. This feature enables users to view notebooks in a formatted, readable way similar to GitHub and GitLab. ### Implementation Approach **Evolution:** Initially implemented frontend rendering using `marked` and `Shiki` libraries. After review feedback, migrated to backend rendering for better performance, security, and consistency with Gitea architecture. #### Backend Rendering Advantages - Server-side HTML generation eliminates client-side parsing overhead - Integrates with Gitea existing markup sanitizer for security - Uses Chroma for syntax highlighting (consistent with code files) - Uses Goldmark for markdown rendering (consistent with `.md` files) - No additional frontend dependencies required - Better performance for large notebooks ### Features #### Supported Cell Types - **Markdown cells:** Rendered with Goldmark (tables, lists, links, code blocks, etc.) - **Code cells:** Syntax-highlighted with Chroma, execution counts, language detection from notebook metadata - **Output cells:** Multiple output types in a single cell #### Supported Output Types - ✅ Text/plain outputs - ✅ Images (PNG, JPEG, SVG) with base64 data URIs - ✅ HTML outputs (tables, DataFrames, formatted text) - ✅ LaTeX/math equations (rendered as code blocks) - ✅ Error outputs with traceback (styled in red) - ✅ Stream outputs (`stdout`/`stderr`) - ⚠️ Interactive widgets (Plotly, ipywidgets) show informative messages - ⚠️ JavaScript outputs show security warning (disabled for safety) #### Edge Cases Handled - Empty notebooks or notebooks with no outputs - Corrupted JSON with graceful error display - Mixed output types in single cell - Large base64-encoded images - Execution count of `null` or `0` - `nbformat` version compatibility (only renders `nbformat 4+`, shows message for older versions) ### Changes #### Backend (Go) - `modules/markup/jupyter/jupyter.go` (**NEW**) - Jupyter notebook renderer implementation - Parses `.ipynb` JSON structure and generates HTML - Integrates Chroma for code syntax highlighting - Integrates Goldmark for markdown cell rendering - Dynamic language detection from notebook metadata - Handles all standard Jupyter output types - Comprehensive error handling with user-friendly messages - `modules/markup/renderer.go` (**MODIFIED**) - Registered Jupyter renderer in markup system - `main.go` (**MODIFIED**) - Import Jupyter renderer package for initialization #### Styling (CSS) - `web_src/css/markup/jupyter.css` (**NEW**) - Comprehensive styling for notebook cells, code, outputs - Uses Gitea CSS variables for consistent theming - Responsive layout with proper spacing - Table styling for DataFrame outputs - Removed parent container padding for consistency with other renderers #### Sanitizer Rules - `modules/markup/jupyter/jupyter.go` → `SanitizerRules()` - Configured HTML sanitization rules for safe rendering: - Cell structure (markdown, code, input/output wrappers) - Code highlighting (Chroma classes) - Images (base64 data URIs only) - Tables (DataFrames) - Markdown elements (headers, lists, links, etc.) ### Security Considerations - Server-side rendering: No client-side JavaScript execution - HTML sanitization: Strict allowlist for HTML elements and attributes - Image security: Only base64 data URIs allowed (no external URLs) - JavaScript disabled: `application/javascript` outputs show warning - XSS protection: Gitea markup sanitizer handles all HTML output ### Testing Manual testing performed with various notebooks: - Markdown rendering (headers, lists, tables, links, code blocks) - Code cells with execution counts and syntax highlighting - Multiple output types (text, images, HTML, LaTeX, errors, streams) - Error handling for edge cases - Theme compatibility (light/dark mode) ### Screenshots <img width="1080" height="553" alt="image" src="https://github.com/user-attachments/assets/aef9afa7-ed96-434d-98b0-b160565fc967" /> <img width="1092" height="552" alt="image" src="https://github.com/user-attachments/assets/6e61e792-4737-41c1-851e-5c375c1f932a" /> <img width="1104" height="622" alt="image" src="https://github.com/user-attachments/assets/4ac630c1-3a75-4e1c-9bba-c0a27484d001" /> <img width="1104" height="529" alt="image" src="https://github.com/user-attachments/assets/33750c47-70de-4ab2-893d-e5d09fa8d9c4" /> <img width="1111" height="343" alt="image" src="https://github.com/user-attachments/assets/52107d9f-0e06-420b-9ab4-1603dcd676b1" /> <img width="1091" height="650" alt="image" src="https://github.com/user-attachments/assets/0addae21-efa4-44bb-a56e-0418e3d4d227" /> <img width="1077" height="298" alt="image" src="https://github.com/user-attachments/assets/a3a8c5be-638c-45ff-82f3-816264254ead" /> ### Dependencies No new dependencies required: - Chroma (existing) - Syntax highlighting - Goldmark (existing) - Markdown rendering - Standard library - JSON parsing ### Key Design Decisions - Backend rendering for performance and security - Reuses existing Gitea infrastructure (Chroma, Goldmark, sanitizer) - Consistent styling with other markup renderers - Graceful degradation for unsupported features --- **Development Note:** This PR was developed with assistance from Amazon Q Developer and Claude AI for implementation, debugging, and testing. --------- Signed-off-by: Karthik Bhandary <34509856+karthikbhandary2@users.noreply.github.com> Co-authored-by: karthik.bhandary <karthik.bhandary@kfintech.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
