mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-15 20:25:18 +02:00
b4cb192fba71fe280d67ce6f8076cdefa46569b3
20997 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Giteabot
|
b4cb192fba |
chore(deps): update pnpm to v11.5.3 (#38133)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.2` → `11.5.3`](https://renovatebot.com/diffs/npm/pnpm/11.5.2/11.5.3) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.5.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1153) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.2...v11.5.3) ##### Patch Changes - Stopped expanding environment variables in repository-controlled registry/proxy request destinations and registry credential values from `.npmrc`, and in workspace registry URLs from `pnpm-workspace.yaml`. Move dynamic registry URL and token configuration to trusted user, global, CLI, or environment config. - Resolve package-manager bootstrap dependencies with trusted user or CLI registry and network config, and reject package-manager env-lockfile records that do not use registry package paths with integrity-only resolutions before auto-switch execution. - Avoid writing `packageManagerDependencies` to `pnpm-lock.yaml` when package manager policy is set to `onFail: ignore` or `pmOnFail: ignore` [#​12228](https://redirect.github.com/pnpm/pnpm/issues/12228). - Avoid running dependency-status auto-install when the dependency status is unavailable without a project manifest. - Using the `$` version reference syntax in `overrides` (e.g. `"react": "$react"`) now prints a deprecation warning. The syntax still works, but [catalogs](https://pnpm.io/catalogs) are the recommended way to keep an overridden version in sync with the rest of the workspace. Reference a catalog entry with the `catalog:` protocol instead. - Fixed `pnpm config get globalconfig` to return the global `config.yaml` path again [pnpm/pnpm#11962](https://redirect.github.com/pnpm/pnpm/issues/11962). - Fixed bare `--color` so it does not consume the following CLI flag, allowing command shorthands like `--parallel` to expand correctly and forms like `pnpm --color with current <command>` to dispatch the inner command instead of failing with `MISSING_WITH_CURRENT_CMD`. - Fix `pnpm install` ignoring `enableGlobalVirtualStore` toggle by including it in the workspace state settings check [#​12142](https://redirect.github.com/pnpm/pnpm/issues/12142). - Security: pnpm now verifies the npm registry signature of a package-manager binary before spawning it, so a cloned repository cannot make pnpm download and execute an arbitrary native binary. This covers two paths that select an executable from repository-controlled input: - **pacquet install engine** — declaring `pacquet` (or `@pnpm/pacquet`) in `configDependencies` opts in to pnpm's Rust install engine. pnpm now verifies that the installed `pacquet` shim and the host's `@pacquet/<platform>-<arch>` binary carry a valid npm registry signature for their exact `name@version`, and refuses to run pacquet (failing the command) if the signature does not verify or cannot be checked. The only graceful fallback to pnpm's own engine is when pacquet has no binary for the current platform. - **automatic version switch / `self-update`** — the `packageManager` / `devEngines.packageManager` field makes pnpm download and run a specific pnpm version. pnpm now verifies the registry signature of `pnpm`, `@pnpm/exe`, and the host platform binary before installing/spawning them, and refuses to run an engine whose signature does not match a published, signed release. The check runs only on an actual download (store cache miss), so it does not add a network round trip to every command. In both cases the signature is verified over the *installed* integrity, against npm's public signing keys that ship embedded in the pnpm CLI (like corepack), so bytes substituted via a tampered lockfile or a repository-controlled registry fail verification — and a registry the user did not vouch for cannot supply its own signing keys. The signed packument is fetched from the configured registry, so an npm mirror works transparently. Verification fails closed: if it cannot be completed (for example, the registry is unreachable), the command fails rather than running an unverified binary. The embedded keys are kept current by a release-time check against npm's signing-keys endpoint. - Made peer-dependent deduplication deterministic. When a peer-suffixed package variant was a subset of two or more mutually incompatible larger variants, the variant it collapsed into depended on the order importers were resolved in, which varies between machines. This could resolve the same workspace to different lockfiles on different platforms and make `pnpm dedupe --check` alternate between passing and failing. - Reject invalid package names and versions from staged tarball manifests before deriving filenames for `pnpm stage download`. - Clarified in CLI help that the pnpm store is trusted shared state and store integrity checks are corruption detection, not a tamper boundary for untrusted store writers. - Reject reserved manifest `bin` names (`""`, `"."`, `".."`, and scoped forms such as `@scope/..`) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted. - Require trusted package identity before package-name `allowBuilds` entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the `allowBuilds` key. Lockfile verification now rejects lockfiles where a registry-style dependency path (`name@semver`) is backed by a git, directory, or git-hosted tarball resolution (`ERR_PNPM_RESOLUTION_SHAPE_MISMATCH`), so the dependency path is a reliable artifact identity by the time scripts can run. - Security: pnpm now verifies the OpenPGP signature of a downloaded Node.js runtime's `SHASUMS256.txt` before trusting its integrity hashes. When a repository requests a Node.js runtime (e.g. via `devEngines.runtime` / `useNodeVersion`), the download mirror is repository-configurable through `node-mirror:<channel>`. The integrity of the downloaded binary was only checked against `SHASUMS256.txt` fetched from that same mirror — a circular check that a malicious mirror could satisfy by serving a tampered binary together with a matching `SHASUMS256.txt`. pnpm then executes the binary (for example to run lifecycle scripts). pnpm now fetches `SHASUMS256.txt.sig` and verifies the detached OpenPGP signature against the Node.js release team's public keys, which ship embedded in the pnpm CLI. A mirror that serves a tampered binary cannot also produce a valid signature, so the download fails to verify. The embedded keys are kept current by a release-time check against the canonical `nodejs/release-keys` list. The musl variants from the hardcoded `unofficial-builds.nodejs.org` mirror are not repository-configurable and are signed by a different key, so they continue to be trusted over TLS. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
|
Giteabot
|
1363b097e2 |
chore(deps): update action dependencies (#38121)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | redis | service | digest | `e74c9b9` → `a505f8b` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.14` → `v46.1.15` | --- ### Release Notes <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.15`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.15) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.14...v46.1.15) ##### Documentation - update references to actions/checkout to v6.0.3 ([#​1033](https://redirect.github.com/renovatebot/github-action/issues/1033)) ([fb473e1]( |
||
6543
|
d2186ecd03 | docs: update missed gov docs update (#38131) | ||
|
Giteabot
|
76f8d122fe |
fix(deps): update npm dependencies (#38123)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/lint | [`6.9.6` → `6.9.7`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.6/6.9.7) |  |  | | @​codemirror/view | [`6.43.0` → `6.43.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.43.0/6.43.1) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.28.0` → `19.28.1`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.28.0/19.28.1) |  |  | | [@types/jquery](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/jquery) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jquery)) | [`4.0.0` → `4.0.1`](https://renovatebot.com/diffs/npm/@types%2fjquery/4.0.0/4.0.1) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.9.1` → `25.9.2`](https://renovatebot.com/diffs/npm/@types%2fnode/25.9.1/25.9.2) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.1/8.61.0) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.19` → `1.6.20`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.19/1.6.20) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.1` → `20.10.2`](https://renovatebot.com/diffs/npm/happy-dom/20.10.1/20.10.2) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.5.1` → `11.5.2`](https://renovatebot.com/diffs/npm/pnpm/11.5.1/11.5.2) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.12.0` → `17.13.0`](https://renovatebot.com/diffs/npm/stylelint/17.12.0/17.13.0) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.1` → `8.61.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.1/8.61.0) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.3` → `17.18.0`](https://renovatebot.com/diffs/npm/updates/17.17.3/17.18.0) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.3` → `3.3.4`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.3/3.3.4) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.1`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19281) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.28.0...v19.28.1) ##### Patch Changes - [#​1215](https://redirect.github.com/primer/octicons/pull/1215) [`378d7af0`]( |
||
|
Giteabot
|
4ca706d6a9 |
chore(deps): update dependency djlint to v1.39.0 (#38124)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.36.4` → `==1.39.0` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1390---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.2...v1.39.0) ##### Feature - Add `preserve_class_newlines` / `--preserve-class-newlines` to keep authored line breaks inside multiline `class` attributes. ##### Fix - Fix Django 6.0 `{% partialdef %}` block indentation so `{% endpartialdef %}` aligns with its opener. - Preserve multiline Django/Jinja control-flow blocks instead of condensing short bodies onto one line. - Preserve single-line inline HTML and template tag bodies during expansion, even when they exceed `max_line_length`. ### [`v1.38.2`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1382---2026-06-05) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.1...v1.38.2) ##### Fix - Fix `python -m djlint` not working due to mypyc compilation. ### [`v1.38.1`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1381---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.38.0...v1.38.1) ##### Fix - Match exclude paths on path boundaries. ### [`v1.38.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1380---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.37.0...v1.38.0) ##### Feature - Add support for `.djlint.toml` project and global config files. ##### Fix - Preserve single-line inline HTML tag bodies when they fit within `max_line_length`. - Avoid evaluating template expressions while formatting tag contents. ##### Packaging - Fix npm publish workflow. ### [`v1.37.0`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1370---2026-06-04) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.36.4...v1.37.0) ##### Feature - Add `--format-attribute-js-json` for formatting JavaScript and JSON inside HTML attributes. It also supports `format_attribute_js_json_pattern` and `format_attribute_js_json_min_props` for tuning which attributes are formatted. Thanks, [@​oliverhaas](https://redirect.github.com/oliverhaas). - Add `--github-output` for GitHub Actions annotations. Thanks, [@​iloveitaly](https://redirect.github.com/iloveitaly). ##### Fix - Fix `ignore_blocks` matching when ignored blocks are indented. Thanks, [@​tdryer](https://redirect.github.com/tdryer). - Use relative paths for `--exclude` and `--use-gitignore` matching so path filters work consistently from nested directories. Thanks, [@​satya-waylit](https://redirect.github.com/satya-waylit). - Stop D018/J018 from flagging root links such as `href="/"`. Thanks, [@​SAY-5](https://redirect.github.com/SAY-5). - Do not treat soft hyphen entities as text for H023. Thanks, [@​kotutuloro](https://redirect.github.com/kotutuloro). - Fix Handlebars `{{#unless}}` indentation. Thanks, [@​S1mplePixels](https://redirect.github.com/S1mplePixels). - Fix formatting when `/>` appears inside an HTML attribute value. Thanks, [@​novucs](https://redirect.github.com/novucs). - Improve CPU count handling for worker setup. ##### Performance - Improve formatter caching and reduce cache memory usage. Formatting is about 19% faster. ##### Documentation - Add Chinese translation. Thanks, [@​Twisuki](https://redirect.github.com/Twisuki). - Add Homebrew installation instructions. Thanks, [@​alfawal](https://redirect.github.com/alfawal). - Add EFM Neovim integration documentation. Thanks, [@​danielebra](https://redirect.github.com/danielebra). - Add copy-pastable pre-commit YAML to the README. Thanks, [@​Pierre-Sassoulas](https://redirect.github.com/Pierre-Sassoulas). - Polish linter and CLI documentation. Thanks, [@​jasonaowen](https://redirect.github.com/jasonaowen) and [@​dotWee](https://redirect.github.com/dotWee). ##### Packaging - Drop Python 3.9 support. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: bircni <bircni@icloud.com> |
||
bircni
|
bce6df24b7 | feat(actions): show run status on browser tab favicon (#38071) | ||
Karthik Bhandary
|
e70b91d8ec |
chore: center info message for unsupported jupyter notebook versions (#38114)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
Lunny Xiao
|
a77edc7ba4 |
chore(actions): Add icon for status filter (#38082)
<img width="352" height="391" alt="image" src="https://github.com/user-attachments/assets/261dd567-49c2-4fc6-a646-5f8641e08192" /> --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
55250407dd |
feat(org): add team visibility so org members can discover teams (#37680)
Closes #37670. Today, org members in Gitea only see teams they're a member of. In larger orgs that hurts onboarding and discoverability — there's no way to look up which team owns what without asking around. GitHub solves this with a per-team visibility setting; this PR brings the same model to Gitea. ## What changes - Every team gets a `visibility` setting: - `private` *(default)* — only team members and org owners can see the team. Same as today's behavior. - `limited` — listable by any member of the organization. Members and the repos the team has access to are visible too. Non-org-members still see nothing. - `public` — listable by any signed-in user. - The Owners team visibility is fixed and cannot be changed via settings. - Existing teams default to `private`, so this is a no-op for anyone who doesn't change anything. ## API - `Team`, `CreateTeamOption`, `EditTeamOption` all gain a `visibility` field (string enum: `private` | `limited` | `public`). - `GET /orgs/{org}/teams` and `/orgs/{org}/teams/search` now apply the same visibility rules as the web UI: - site admins and org owners still see every team - other org members see their own teams plus any `limited` or `public` team - `private` teams are no longer leaked through these endpoints - Swagger/OpenAPI specs regenerated. ## UI View from admin2 (not an owner): <img width="1669" height="726" src="https://github.com/user-attachments/assets/daf4bccb-644b-4426-b178-71963aeaf73b" /> View from admin (owner): <img width="2559" height="863" src="https://github.com/user-attachments/assets/4f22cebc-e9df-4fd2-8ed4-724d31fadb7a" /> --------- Signed-off-by: bircni <bircni@icloud.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
techknowlogick
|
80ca22a9ef | chore(deps): bump dockerfile to use Alpine 3.24 (#38077) | ||
wxiaoguang
|
47d48eb208 | chore: fix form string abuse (#38106) | ||
delvh
|
3417bc8979 | docs: Clarify criteria for becoming a merger (#38113) | ||
TheFox0x7
|
c6167d1ff5 |
feat(api): add token introspection and self-deletion endpoint (#37995)
Adds a /api/v1/token endpoint that allows tokens to introspect and delete themselves. partially fixes: https://github.com/go-gitea/gitea/issues/33583 Assisted-by: Mistral Vibe:mistral-medium-3.5 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
b8ef6a91e6 |
docs: Publish TOC Election Result 2026 (#38111)
- Adjusted the wording for what happens on a draw (somehow we managed to get a draw) The new members are: - @delvh - @bircni - @TheFox0x7 Closes #37551 |
||
Pycub
|
c7af379672 |
fix(api): nil pointer panic when filtering tracked times by a non-existent user (#38112)
## Problem
`GET /repos/{owner}/{repo}/times` and `GET
/repos/{owner}/{repo}/issues/{index}/times` crash with a nil pointer
dereference when the `user` query filter names a user that does not
exist.
## Root cause
In `ListTrackedTimes` and `ListTrackedTimesByRepository`, the
`IsErrUserNotExist` branch sends the 404 but is missing a `return`, so
execution falls through to `opts.UserID = user.ID` with a nil `user`.
---------
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
Karthik Bhandary
|
e82352f156 |
feat(web): Add Jupyter Notebook (.ipynb) Rendering Support (#37433)
### Summary Closes #37308 Adds native rendering support for Jupyter notebook files (`.ipynb`) in Gitea using backend rendering, allowing users to view formatted notebooks with code cells, markdown, outputs, and visualizations directly in the repository browser. ### Motivation Jupyter notebooks are widely used in data science, machine learning, and scientific computing. Currently, Gitea displays `.ipynb` files as raw JSON, making them difficult to read. This feature enables users to view notebooks in a formatted, readable way similar to GitHub and GitLab. ### Implementation Approach **Evolution:** Initially implemented frontend rendering using `marked` and `Shiki` libraries. After review feedback, migrated to backend rendering for better performance, security, and consistency with Gitea architecture. #### Backend Rendering Advantages - Server-side HTML generation eliminates client-side parsing overhead - Integrates with Gitea existing markup sanitizer for security - Uses Chroma for syntax highlighting (consistent with code files) - Uses Goldmark for markdown rendering (consistent with `.md` files) - No additional frontend dependencies required - Better performance for large notebooks ### Features #### Supported Cell Types - **Markdown cells:** Rendered with Goldmark (tables, lists, links, code blocks, etc.) - **Code cells:** Syntax-highlighted with Chroma, execution counts, language detection from notebook metadata - **Output cells:** Multiple output types in a single cell #### Supported Output Types - ✅ Text/plain outputs - ✅ Images (PNG, JPEG, SVG) with base64 data URIs - ✅ HTML outputs (tables, DataFrames, formatted text) - ✅ LaTeX/math equations (rendered as code blocks) - ✅ Error outputs with traceback (styled in red) - ✅ Stream outputs (`stdout`/`stderr`) - ⚠️ Interactive widgets (Plotly, ipywidgets) show informative messages - ⚠️ JavaScript outputs show security warning (disabled for safety) #### Edge Cases Handled - Empty notebooks or notebooks with no outputs - Corrupted JSON with graceful error display - Mixed output types in single cell - Large base64-encoded images - Execution count of `null` or `0` - `nbformat` version compatibility (only renders `nbformat 4+`, shows message for older versions) ### Changes #### Backend (Go) - `modules/markup/jupyter/jupyter.go` (**NEW**) - Jupyter notebook renderer implementation - Parses `.ipynb` JSON structure and generates HTML - Integrates Chroma for code syntax highlighting - Integrates Goldmark for markdown cell rendering - Dynamic language detection from notebook metadata - Handles all standard Jupyter output types - Comprehensive error handling with user-friendly messages - `modules/markup/renderer.go` (**MODIFIED**) - Registered Jupyter renderer in markup system - `main.go` (**MODIFIED**) - Import Jupyter renderer package for initialization #### Styling (CSS) - `web_src/css/markup/jupyter.css` (**NEW**) - Comprehensive styling for notebook cells, code, outputs - Uses Gitea CSS variables for consistent theming - Responsive layout with proper spacing - Table styling for DataFrame outputs - Removed parent container padding for consistency with other renderers #### Sanitizer Rules - `modules/markup/jupyter/jupyter.go` → `SanitizerRules()` - Configured HTML sanitization rules for safe rendering: - Cell structure (markdown, code, input/output wrappers) - Code highlighting (Chroma classes) - Images (base64 data URIs only) - Tables (DataFrames) - Markdown elements (headers, lists, links, etc.) ### Security Considerations - Server-side rendering: No client-side JavaScript execution - HTML sanitization: Strict allowlist for HTML elements and attributes - Image security: Only base64 data URIs allowed (no external URLs) - JavaScript disabled: `application/javascript` outputs show warning - XSS protection: Gitea markup sanitizer handles all HTML output ### Testing Manual testing performed with various notebooks: - Markdown rendering (headers, lists, tables, links, code blocks) - Code cells with execution counts and syntax highlighting - Multiple output types (text, images, HTML, LaTeX, errors, streams) - Error handling for edge cases - Theme compatibility (light/dark mode) ### Screenshots <img width="1080" height="553" alt="image" src="https://github.com/user-attachments/assets/aef9afa7-ed96-434d-98b0-b160565fc967" /> <img width="1092" height="552" alt="image" src="https://github.com/user-attachments/assets/6e61e792-4737-41c1-851e-5c375c1f932a" /> <img width="1104" height="622" alt="image" src="https://github.com/user-attachments/assets/4ac630c1-3a75-4e1c-9bba-c0a27484d001" /> <img width="1104" height="529" alt="image" src="https://github.com/user-attachments/assets/33750c47-70de-4ab2-893d-e5d09fa8d9c4" /> <img width="1111" height="343" alt="image" src="https://github.com/user-attachments/assets/52107d9f-0e06-420b-9ab4-1603dcd676b1" /> <img width="1091" height="650" alt="image" src="https://github.com/user-attachments/assets/0addae21-efa4-44bb-a56e-0418e3d4d227" /> <img width="1077" height="298" alt="image" src="https://github.com/user-attachments/assets/a3a8c5be-638c-45ff-82f3-816264254ead" /> ### Dependencies No new dependencies required: - Chroma (existing) - Syntax highlighting - Goldmark (existing) - Markdown rendering - Standard library - JSON parsing ### Key Design Decisions - Backend rendering for performance and security - Reuses existing Gitea infrastructure (Chroma, Goldmark, sanitizer) - Consistent styling with other markup renderers - Graceful degradation for unsupported features --- **Development Note:** This PR was developed with assistance from Amazon Q Developer and Claude AI for implementation, debugging, and testing. --------- Signed-off-by: Karthik Bhandary <34509856+karthikbhandary2@users.noreply.github.com> Co-authored-by: karthik.bhandary <karthik.bhandary@kfintech.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
aab9737651 |
fix(ui): prevent commit status popup overflowing its row (#38081)
Fixes #38079 ## Regression path The layout previously had `.commit-status-item .status-context { flex: 1 }`, which let the context fill remaining space and ellipsize. That rule was dropped in #37517 ("Refactor pull request view (5)") when the row markup moved to nested `.flex-text-block` wrappers, so nothing constrained the left block anymore. After: <img width="832" height="242" alt="image" src="https://github.com/user-attachments/assets/a20019f8-6016-40f7-8901-2808280dc093" /> --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
Giteabot
|
a68ee6a405 | fix(deps): update dependency esbuild to v0.28.1 [security] (#38097) | ||
|
wxiaoguang
|
1b3b4bdd03 |
fix: git push hook post receive (#38089)
* fix incorrect delayWriter call (there is already a defer call) * split HookPostReceive into small functions * fix incorrect HookPostReceiveResult response for errors * fix incorrect AddRepoToLicenseUpdaterQueue call * make sure repo home and branches page can work without default branch * make sure default branch is always synchronized between database and git repo, and fix FIXME |
||
|
bircni
|
9608cc212d |
fix: allow git clone of private repos with anonymous code access (#38074)
Fixes #38062. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
275dee5bda | [skip ci] Updated translations via Crowdin | ||
|
wxiaoguang
|
ae49f65692 |
fix: parse HEAD ref (#38088)
fix #38086 |
||
|
bircni
|
15ae1bfc8c | fix: keep literal "false" value displayed in workflow_dispatch choice dropdowns (#38080) | ||
|
wxiaoguang
|
f5a97b7518 | fix: git cmd (#38084) | ||
|
wxiaoguang
|
4f4a0a79ac |
fix: csp regressions (#38047)
fix #37257 , all details are in the comments |
||
|
bircni
|
e473505d64 |
ci: Remove agent-scan (#38073)
As we saw, the agent scan is not as useful as we thought - so lets remove it again Signed-off-by: bircni <bircni@icloud.com> |
||
puni9869
|
6a7e232f1e |
chore(deps): Update go to 1.26.4 and bump go dependencies (#38023)
New go version addressed multiple vulns as below. <img width="1217" height="818" alt="image" src="https://github.com/user-attachments/assets/f1738003-8b19-4fac-a200-6903d93f48ad" /> Dependencies affected: ``` gitea.com/gitea/runner - v1.0.6 → v1.0.8 gitea.dev/sdk - v1.0.1 → v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/azcore - v1.20.0 → v1.22.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob - v1.6.3 → v1.7.0 github.com/alecthomas/chroma/v2 - v2.25.0 → v2.26.1 github.com/aws/aws-sdk-go-v2/credentials - v1.19.17 → v1.19.24 github.com/aws/aws-sdk-go-v2/service/codecommit - v1.33.14 → v1.34.4 github.com/dlclark/regexp2/v2 - v2.1.0 → v2.2.1 github.com/getkin/kin-openapi - v0.139.0 → v0.140.0 github.com/google/pprof - v0.0.0-20260507013755-92041b743c96 → v0.0.0-20260604005048-7023385849c0 github.com/jhillyerd/enmime/v2 - v2.4.0 → v2.4.1 github.com/mattn/go-sqlite3 - v1.14.44 → v1.14.45 github.com/meilisearch/meilisearch-go - v0.36.2 → v0.36.3 github.com/microsoft/go-mssqldb - v1.9.7 → v1.10.0 github.com/redis/go-redis/v9 - v9.19.0 → v9.20.0 github.com/urfave/cli/v3 - v3.9.0 → v3.9.1 gitlab.com/gitlab-org/api/client-go/v2 - v2.34.0 → v2.38.0 go.yaml.in/yaml/v4 - v4.0.0-rc.3 → v4.0.0-rc.5 golang.org/x/crypto - v0.52.0 → v0.53.0 golang.org/x/image - v0.41.0 → v0.42.0 golang.org/x/net - v0.55.0 → v0.56.0 golang.org/x/sync - v0.20.0 → v0.21.0 golang.org/x/sys - v0.45.0 → v0.46.0 golang.org/x/text - v0.37.0 → v0.38.0 golang.org/x/tools - v0.44.0 → v0.45.0 gopkg.in/ini.v1 - v1.67.2 → v1.67.3 modernc.org/sqlite - v1.50.1 → v1.52.0 ``` --------- Signed-off-by: puni9869 <80308335+puni9869@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
wxiaoguang
|
d3d092f65d |
chore: fix git commit "rev-list" (#38069)
Fix the copied & pasted messy code, fix #38067 Now, "limit=-1" means "no limit" |
||
|
bircni
|
5a24438698 |
chore: various trivial fixes (#38070)
Follow-up to #37987, addressing the unresolved review comments on the org members search form. And fix more trivial problems together (see the commit titles) --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
bn-zr
|
fefb6f3219 |
feat(api): Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs (#37196)
- Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs
endpoint, matching the
https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2026-03-10#list-workflow-runs-for-a-workflow
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
wxiaoguang
|
250a38abb5 | chore: migrate unescaped-html-literal eslint rule to our repo and fix more cases (#38072) | ||
silverwind
|
360f34d7fa |
ci: bound seeded Go cache size and speed up disk cleanup (#38048)
Reduces the CI cache growth and disk pressure behind the flaky `No space left on device` failures in https://github.com/go-gitea/gitea/issues/37974. **`go-cache`** — the cache-seeder saved with a `restore-keys` prefix fallback, so every `go.sum` change restored the previous cache and re-saved the union; old module versions and stale build objects accumulated (~3 GB → ~7 GB) and overflowed disk on smaller runners. Drop `restore-keys` from the seeder **save** branches so each `go.sum` seeds a clean, size-bounded cache. PR runs keep `restore-keys` for warm-start fallback. **`free-disk-space`** — delete the unused preinstalled toolchains in parallel (~86 s → ~54 s) and log `df -h /` before/after. Measured during review: the hosted `ubuntu-latest` fleet is heterogeneous — most runners have ~89 GB free on `/` (a full pgsql integration shard peaks at ~17 GB used), but a minority arrive nearly full and fail mid cache-restore. The toolchain deletion is the headroom that keeps those runners green, so it stays; the cache bound shrinks the footprint for every runner. Authored with assistance from Claude (Opus 4.8). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
bc2fbe77b1 |
refactor(actions): read runner capabilities from proto field (#38068)
[actions-proto-go v0.6.0](https://gitea.com/gitea/actions-proto-go) adds a `capabilities` field to `RegisterRequest` and `DeclareRequest`. This lets a runner advertise the transitional `cancelling` capability directly in the proto message instead of through the out-of-band mechanism we used while the proto bump was pending. This PR: - Bumps `gitea.dev/actions-proto-go` to `v0.6.0`. - Drops the forward-compat `capabilityGetter` type-assertion shim and the `runnerRequestHasCancellingCapability` helper, reading `GetCapabilities()` directly (now part of the `declareRequest` interface). - Removes the "capability state unknown → preserve existing value" branch. ## Why the behaviour change is correct The shim and the `(hasSupport, known)` two-value return only existed because the old proto had no `capabilities` field, so we couldn't tell "runner doesn't support it" from "we can't see the field." With v0.6.0 the field is always present. Since proto3 repeated fields have no presence, "no capabilities sent" now unambiguously means the runner does not advertise the capability, so a runner that omits `cancelling` is correctly recorded as `HasCancellingSupport = false`. There is no regression: prior to this bump Gitea was on `v0.5.0`, where the type assertion always failed and `HasCancellingSupport` was therefore never set from requests — so no runner relied on the preserved-unknown path. ## Compatibility The change is wire-compatible in both directions of version skew, because the new field uses a previously unused field number (8 on `RegisterRequest`, 3 on `DeclareRequest`) and the transport uses the binary protobuf codec: - **Old runner → new Gitea:** the runner omits the field; it decodes to an empty capability list. Registration/declaration succeed; the runner simply doesn't get the cancelling feature. - **New runner → old Gitea:** the runner sends the field; the old server's generated code doesn't know the field number and silently ignores it. Registration/declaration succeed. The feature only activates once both server and runner are on `v0.6.0`. |
||
|
wxiaoguang
|
442f5e7d06 | chore: fine tune pull request merge box and commit status item (#38060) | ||
metsw24-max
|
988f0ea54a |
fix: validate gem name in rubygems parseMetadataFile (#38061)
The registry writes the stored gem name straight into its line-based
compact index, both the shared `/versions` listing (one `GEMNAME
versions md5` line per gem) and the per-package `info/{name}` file. The
parser only rejected an empty name or one containing a slash, so a
`.gem` whose gemspec `name` carries a newline was accepted and persisted
as the package name, letting an authenticated uploader forge extra lines
in the shared index and so spoof additional gem names, versions and
checksums to clients. The name is now checked against the upstream
RubyGems name pattern in the parser, which is the layer that already
validates the version.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
|
||
Eugenio Paolantonio
|
fa89785d33 |
feat(api): add Link header in ListForks (#38052)
Fixes #38051. Disclosure: writing of the integration test was AI assisted. --------- Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
19d1e1d334 |
test: enable WAL for sqlite integration tests (#37861)
Enable `SQLITE_JOURNAL_MODE = WAL` for the sqlite integration test config. With modernc as the default driver, concurrent writers serialize on SQLite's single write lock and the tail of the queue can exceed the 20s busy timeout under CI load. WAL drains the queue fast enough to stay inside the timeout (removes rollback's fsync-per-commit and reader-vs-commit blocking) and covers all sqlite integration tests in one change. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
bircni
|
920b3f8cb6 | fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) | ||
|
wxiaoguang
|
4ba0a545f2 |
chore: js html (#38056)
remove unnecessary "eslint-disable-line" rules |
||
|
wxiaoguang
|
a51781527b |
fix: commit display name (#38057)
fix #38054 |
||
|
metsw24-max
|
7134c1f845 |
fix: bound debian ParseControlFile to a single control stanza (#38044)
**Packages-index stanza injection via Debian control file** A `.deb` whose `control` file appends extra paragraphs after a blank line was still accepted, and `ParseControlFile` stored the whole multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into the generated `Packages` index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen `Filename` into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
7b4a1a1a11 | fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006) | ||
|
bircni
|
63df886ba8 |
fix(actions): keep distinct commit statuses for workflows sharing a name (#37834)
## Summary Two Gitea Actions workflow files that share the same `name:` and same job name produced identical commit-status `Context` strings. Because `GetLatestCommitStatus` groups by `context_hash` (derived from `Context`), only one row was shown on the PR page — see #35699. GitHub displays both rows even though they look identical. This change does the same: the displayed `Context` is unchanged, but `ContextHash` now mixes in the workflow file path so the two statuses remain distinct in the dedupe query. ## Notes - Workflows that omit `name:` now use the workflow file name in the `Context` (e.g. `ci.yaml / build (push)`) instead of an empty `/ build (push)`. This changes the `Context` string for unnamed workflows, so any required-status-check rule that referenced the old string must be updated after upgrade. - For statuses created before this change (hashed from `Context` alone), `createCommitStatus` reuses that legacy hash when a matching row is still present, so in-flight pending statuses are superseded rather than orphaned on upgrade. Fixes #35699 --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Giteabot
|
5fe77ad309 |
fix(deps): update go dependencies (#37967)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` → `v1.0.6` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.16` → `v1.19.17` |  |  | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.138.0` → `v0.139.0` |  |  | | [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) | `v5.2.5` → `v5.3.0` |  |  | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.3` → `v0.17.4` |  |  | | [github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go) | `v7.1.0` → `v7.2.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.30.0` → `v2.34.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6) #### Changelog - fix(deps): update module github.com/opencontainers/selinux to v1.15.0 ([#​990](https://redirect.github.com/gitea/runner/issues/990)) - chore: pin Docker base images to explicit versions ([#​992](https://redirect.github.com/gitea/runner/issues/992)) - chore(deps): update actions/setup-node action to v6 ([#​991](https://redirect.github.com/gitea/runner/issues/991)) - test: make TestRunEvent integration suite runnable locally ([#​987](https://redirect.github.com/gitea/runner/issues/987)) - ci: add PR title linting against Conventional Commits ([#​988](https://redirect.github.com/gitea/runner/issues/988)) - fix: clean up job network and container when container start fails ([#​986](https://redirect.github.com/gitea/runner/issues/986)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0) #### What's Changed - feat(openapi3): batch-convert long-tail RequiredFieldError sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170) - feat(openapi3): typed validation error clusters (combined: [#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179)) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180) - openapi3gen: skip component export for anonymous types by [@​0-don](https://redirect.github.com/0-don) in [#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163) - feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181) - openapi3: typed context errors for Validate() wrapper chain by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183) - openapi3: track Origin on the document root (T) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184) - openapi3: tests flakiness corrected by [@​fenollp](https://redirect.github.com/fenollp) in [#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159) - openapi3: aggregate independent validation errors via EnableMultiError by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185) - openapi3: fix validation of duplicated path templates by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189) - openapi3: type the remaining bare-error validation sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0> </details> <details> <summary>go-chi/chi (github.com/go-chi/chi/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0) #### What's Changed - Use strings.ReplaceAll where applicable by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1046](https://redirect.github.com/go-chi/chi/pull/1046) - Propagate inline middlewares across mounted subrouters by [@​LukasJenicek](https://redirect.github.com/LukasJenicek) in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - add go 1.26 to ci by [@​pkieltyka](https://redirect.github.com/pkieltyka) in [#​1052](https://redirect.github.com/go-chi/chi/pull/1052) - Remove last uses of io/ioutil by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1054](https://redirect.github.com/go-chi/chi/pull/1054) - Simplify chi.walk with slices.Concat by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1053](https://redirect.github.com/go-chi/chi/pull/1053) - Apply the stringscutprefix modernizer by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1051](https://redirect.github.com/go-chi/chi/pull/1051) - Bump minimum Go to 1.23, always use request.Pattern by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1048](https://redirect.github.com/go-chi/chi/pull/1048) - middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - Fix typo in Route doc comment by [@​gouwazi](https://redirect.github.com/gouwazi) in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - fix: set Request.Pattern from RoutePattern() by [@​leno23](https://redirect.github.com/leno23) in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) - feat: middleware.ClientIP, a replacement for middleware.RealIP by [@​VojtechVitek](https://redirect.github.com/VojtechVitek) in [#​967](https://redirect.github.com/go-chi/chi/pull/967) #### New Contributors - [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made their first contribution in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - [@​alliasgher](https://redirect.github.com/alliasgher) made their first contribution in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - [@​gouwazi](https://redirect.github.com/gouwazi) made their first contribution in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - [@​leno23](https://redirect.github.com/leno23) made their first contribution in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) #### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP [@​VojtechVitek](https://redirect.github.com/VojtechVitek) submitted PR [#​967](https://redirect.github.com/go-chi/chi/issues/967), which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories: - [GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf) — IP spoofing via XFF in `RemoteAddr` resolution (convto) - [GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp) — RealIP allows IP spoofing via unvalidated XFF (rezmoss) - [GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx) — IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3) It also addresses issues outlined at: - [#​708](https://redirect.github.com/go-chi/chi/issues/708) - <https://adam-p.ca/blog/2022/03/x-forwarded-for/> - [#​711](https://redirect.github.com/go-chi/chi/issues/711) - [#​453](https://redirect.github.com/go-chi/chi/issues/453) - [#​908](https://redirect.github.com/go-chi/chi/pull/908) `middleware.RealIP` is deprecated in this PR with pointers to the new API. The deprecation only adds a `// Deprecated:` doc comment; the function keeps working for backward compatibility. ##### Why a new middleware (not "fix RealIP in place") `RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per [adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly. ##### The new API Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors: ```go // One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler func ClientIPFromRemoteAddr(h http.Handler) http.Handler // Read the result. func GetClientIP(ctx context.Context) string // for logs, rate-limit keys func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work ``` #### Example usage: ```go // Pick a single ClientIP middleware based on your deployment // Cloudflare. r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) // Nginx with ngx_http_realip_module. r.Use(middleware.ClientIPFromHeader("X-Real-IP")) // Apache with mod_remoteip. r.Use(middleware.ClientIPFromHeader("X-Client-IP")) // AWS CloudFront, or any proxy fleet with known CIDRs. r.Use(middleware.ClientIPFromXFF( "13.32.0.0/15", // CloudFront IPv4 "52.46.0.0/18", // CloudFront IPv4 "2600:9000::/28", // CloudFront IPv6 )) // Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools, // ephemeral containers, dynamic CDN edges). r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) // Server directly on the public internet, no proxy in front. r.Use(middleware.ClientIPFromRemoteAddr) ``` And in your handler or downstream middleware: ```go clientIP := middleware.GetClientIP(r.Context()) // log it, use it as a rate-limit key, etc. ``` *** Thanks to [@​adam-p](https://redirect.github.com/adam-p), [@​c2h5oh](https://redirect.github.com/c2h5oh), [@​rezmoss](https://redirect.github.com/rezmoss), [@​Saku0512](https://redirect.github.com/Saku0512), [@​convto](https://redirect.github.com/convto), [@​Dirbaio](https://redirect.github.com/Dirbaio), [@​jawnsy](https://redirect.github.com/jawnsy), [@​lrstanley](https://redirect.github.com/lrstanley), [@​mfridman](https://redirect.github.com/mfridman), [@​n33pm](https://redirect.github.com/n33pm), [@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR. **Full Changelog**: <https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>minio/minio-go (github.com/minio/minio-go/v7)</summary> ### [`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0) #### What's Changed - Use go tool for ci-lint check by [@​klauspost](https://redirect.github.com/klauspost) in [#​2229](https://redirect.github.com/minio/minio-go/pull/2229) - Rename github.com/go-ini/ini to gopkg.in/ini.v1 by [@​ramondeklein](https://redirect.github.com/ramondeklein) in [#​2232](https://redirect.github.com/minio/minio-go/pull/2232) - Add RDMA / NVIDIA GPU Direct Storage support by [@​harshavardhana](https://redirect.github.com/harshavardhana) in [#​2233](https://redirect.github.com/minio/minio-go/pull/2233) **Full Changelog**: <https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) #### 2.34.0 ##### 🚀 Features - Extend DeploymentDeployablePipeline with web_url ([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902)) by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.1 ([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) (2026-05-27) ### [`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) #### 2.33.0 ##### 🚀 Features - feat(work-items): add ListWorkItemTypes to WorkItemsService ([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.2 ([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) (2026-05-27) ##### Features * **work-items:** add ListWorkItemTypes to WorkItemsService ([e71cb99]( |
||
|
Giteabot
|
a91c88428b |
chore(deps): update dependency happy-dom to v20.10.1 (#38043)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.9.0` → `20.10.1`](https://renovatebot.com/diffs/npm/happy-dom/20.9.0/20.10.1) |  |  | --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.1`](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) ### [`v20.10.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.9.0...v20.10.0) ##### 🎨 Features - Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting [canvasAdapter](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds new package [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) is a pluggable canvas adapter for Happy DOM using [node-canvas](https://redirect.github.com/Automattic/node-canvas). - Adds support for loading image files when enabling the browser setting [enableImageFileLoading](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for loading image data URLs - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageData](https://developer.mozilla.org/en-US/docs/Web/API/ImageData) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageBitmap](https://developer.mozilla.org/en-US/docs/Web/API/ImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [Window.createImageBitmap()](https://developer.mozilla.org/en-US/docs/Web/API/Window/createImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Lunny Xiao
|
49a0d19fa3 |
feat(api): Add assignees APIs (#37330)
Follow https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28 Fix #33576 And it also fixed some possible dead-lock problem. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Zettat123 <zettat123@gmail.com> |
||
|
Lunny Xiao
|
611dfc9496 | fix: Fix some wrong code and follow 37347 (#37987) | ||
|
bircni
|
72c1e4c621 | docs: update community governance document (#38038) | ||
|
Giteabot
|
60abea17a2 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.33.2` → `v0.34.0` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0) go-swagger release 0.34.0 *** Released on 2026 May 29 ##### [0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0) - 2026-05-28 Major refactoring. Focus on improving runtime (e.g.generated client) and codescan (e.g. generated spec). **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0> 42 commits in this release. *** ##### <!-- 00 -->Implemented enhancements - feat(client): added method to configure client-side custom producers/consumers by [@​fredbi](https://redirect.github.com/fredbi) in [#​3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351) [...]( |
||
|
bircni
|
699fe2ef43 |
fix(actions)!: require merged PR to bypass fork PR approval gate (#38010)
`ifNeedApproval` in `services/actions/notifier_helper.go` decided whether a fork PR's workflow run had to wait for maintainer approval. The bypass clause counted any prior `approved_by > 0` run for `(repo_id, trigger_user_id)`, so the very first Approve-and-run click on a contributor's fork PR permanently trusted that user for every future fork PR in the same repository — including PRs whose only change is the workflow YAML itself. Approving a workflow *run* is not the same as merging *code*. This change aligns the gate with GitHub Actions' first-time-contributor model: trust is granted only after the user has had a pull request merged in the repo. ## Behavior change - **Before**: one approval = permanent trust for that user in that repo. - **After**: every fork PR is gated until the contributor has at least one merged PR in the repo. Existing already-approved runs and merged PRs continue to work; only the trust criterion for *future* fork PRs changes. Maintainers who rely on the implicit "approve once" trust will see the approval banner reappear until they merge a PR from that contributor. |
