bircni
54916f708e
feat: Add avatar stacks ( #37594 )
...
Parse `Co-authored-by:` trailers from commit messages and surface
contributors as an avatar stack across the commit page, commits list, PR
commits tab, latest-commit row, blame, graph, and dashboard feed.
- Up to 10 visible 20px avatars, GitHub-style overlap (6px first stride,
4px between subsequent), `+N` chip for the rest.
- Label: 1 → name; 2 → `<a> and <b>`; 3+ → `<N> people` opens a Tippy
popup with all participants.
- Names and avatars link to the repo's commits-by-author search; fall
back to profile or `mailto:`.
- Trailer parsing uses `net/mail.ParseAddress`, scans only the trailing
paragraph, filters out the commit's own author/committer.
- Drops the non-standard `Co-committed-by:` emission on squash merge and
web edits.
Devtest: `/devtest/coauthor-avatars`.
Fixes #25521
----
<img width="353" height="277" alt="image"
src="https://github.com/user-attachments/assets/72092ceb-97ca-4b09-9557-0b72d3c5458e "
/>
<img width="533" height="328"
src="https://github.com/user-attachments/assets/11d0c8f8-8b3f-4f2e-9993-879f1c06bcc5 "
/>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-06-08 17:16:22 +00:00
Giteabot
2a84831400
chore(deps): update astral-sh/setup-uv action to v8.2.0 ( #38036 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv ) |
action | minor | `v8.1.0` → `v8.2.0` |
---
### Release Notes
<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>
###
[`v8.2.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.2.0 ):
🌈 New inputs `quiet` and `download-from-astral-mirror`
[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0 )
#### Changes
This release brings two new inputs and a few bug fixes.
##### New inputs
Lets talk about the new inputs first.
##### quiet
Pretty simple. It turns of all `info` loggings. Useful if you use this
in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement
support for "less noise"
> \[!NOTE]\
> Warnings and errors are always logged.
##### download-from-astral-mirror
In some cases you may want to directly use the fallback of checking for
available versions and downloading releases from GitHub instead of using
the astral.sh mirror. Setting `download-from-astral-mirror: false`
allows you to do that.
##### Bugfixes
When using the astral.sh mirror to query available versions and download
releases (done by default) we now stop sending the GitHub token in the
header. The mirror never looked at it but we shouldn't be handing out
that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due
to retries and other faults.
We couldn't pinpoint all rootcauses yet but added more logging for error
cases to track them down.
#### 🐛 Bug fixes
- fix: report unexpected cache save failures
[@​eifinger](https://redirect.github.com/eifinger )
([#​896](https://redirect.github.com/astral-sh/setup-uv/issues/896 ))
- fix: report unexpected setup failures
[@​eifinger](https://redirect.github.com/eifinger )
([#​895](https://redirect.github.com/astral-sh/setup-uv/issues/895 ))
- fix: add timeout to fetch to prevent silent hangs
[@​eifinger-bot](https://redirect.github.com/eifinger-bot )
([#​883](https://redirect.github.com/astral-sh/setup-uv/issues/883 ))
- Limit GitHub tokens to github.com download URLs
[@​zsol](https://redirect.github.com/zsol )
([#​878](https://redirect.github.com/astral-sh/setup-uv/issues/878 ))
- increase libuv-workaround timeout to 100ms
[@​eifinger](https://redirect.github.com/eifinger )
([#​880](https://redirect.github.com/astral-sh/setup-uv/issues/880 ))
#### 🚀 Enhancements
- Add quiet input to suppress info-level log output
[@​eifinger](https://redirect.github.com/eifinger )
([#​898](https://redirect.github.com/astral-sh/setup-uv/issues/898 ))
- feat: add `download-from-astral-mirror` input
[@​eifinger](https://redirect.github.com/eifinger )
([#​897](https://redirect.github.com/astral-sh/setup-uv/issues/897 ))
#### 🧰 Maintenance
- docs: update dependabot rollup biome guidance
[@​eifinger](https://redirect.github.com/eifinger )
([#​902](https://redirect.github.com/astral-sh/setup-uv/issues/902 ))
- chore: update known checksums for 0.11.18
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​899](https://redirect.github.com/astral-sh/setup-uv/issues/899 ))
- chore: update known checksums for 0.11.17
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​892](https://redirect.github.com/astral-sh/setup-uv/issues/892 ))
- chore: update known checksums for 0.11.16
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​889](https://redirect.github.com/astral-sh/setup-uv/issues/889 ))
- chore: update known checksums for 0.11.15
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​885](https://redirect.github.com/astral-sh/setup-uv/issues/885 ))
- chore: update known checksums for 0.11.14
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​879](https://redirect.github.com/astral-sh/setup-uv/issues/879 ))
- chore: update known checksums for 0.11.13
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​877](https://redirect.github.com/astral-sh/setup-uv/issues/877 ))
- chore: update known checksums for 0.11.12
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​876](https://redirect.github.com/astral-sh/setup-uv/issues/876 ))
- chore: update known checksums for 0.11.11
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​873](https://redirect.github.com/astral-sh/setup-uv/issues/873 ))
- chore: update known checksums for 0.11.9/0.11.10
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​871](https://redirect.github.com/astral-sh/setup-uv/issues/871 ))
- chore: update known checksums for 0.11.8
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​867](https://redirect.github.com/astral-sh/setup-uv/issues/867 ))
- Bump setup-uv references to v8.1.0 SHA in docs
[@​eifinger](https://redirect.github.com/eifinger )
([#​862](https://redirect.github.com/astral-sh/setup-uv/issues/862 ))
- Add update-docs.yml workflow
[@​eifinger](https://redirect.github.com/eifinger )
([#​861](https://redirect.github.com/astral-sh/setup-uv/issues/861 ))
#### ⬆️ Dependency updates
- chore(deps): roll up dependabot updates
[@​eifinger](https://redirect.github.com/eifinger )
([#​903](https://redirect.github.com/astral-sh/setup-uv/issues/903 ))
- chore(deps): roll up dependabot updates
[@​eifinger](https://redirect.github.com/eifinger )
([#​901](https://redirect.github.com/astral-sh/setup-uv/issues/901 ))
- chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​900](https://redirect.github.com/astral-sh/setup-uv/issues/900 ))
- chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​842](https://redirect.github.com/astral-sh/setup-uv/issues/842 ))
- chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​893](https://redirect.github.com/astral-sh/setup-uv/issues/893 ))
- chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​891](https://redirect.github.com/astral-sh/setup-uv/issues/891 ))
- chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​884](https://redirect.github.com/astral-sh/setup-uv/issues/884 ))
- chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​888](https://redirect.github.com/astral-sh/setup-uv/issues/888 ))
- chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​881](https://redirect.github.com/astral-sh/setup-uv/issues/881 ))
- chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​875](https://redirect.github.com/astral-sh/setup-uv/issues/875 ))
- chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​866](https://redirect.github.com/astral-sh/setup-uv/issues/866 ))
- chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​864](https://redirect.github.com/astral-sh/setup-uv/issues/864 ))
- chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​863](https://redirect.github.com/astral-sh/setup-uv/issues/863 ))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-06-08 18:53:12 +02:00
wxiaoguang
136f7d18aa
fix: api error message ( #38031 )
...
Fix various abuses and mistakes
2026-06-08 16:58:42 +08:00
Zettat123
60f66a9bfd
enhance(actions): improve reusable workflow uses handling and cancellation ( #37991 )
...
Follow up #37478
## Changes
1. #37478 doesn't support absolute URL in `uses`. This PR provides
partial support for URL-style reusable workflow references. A reusable
workflow can now be referenced by an absolute URL, as long as it points
to the local Gitea instance:
```yaml
jobs:
call:
uses: https://your-gitea.example.com/OWNER/REPO/.gitea/workflows/ci.yaml@v1
```
2. Show an error message in the UI for invalid `uses`.
<img width="1600" alt="image"
src="https://github.com/user-attachments/assets/21b34e61-bf10-4af1-b9fd-4ee4e9fde049 "
/>
3. Fix reusable caller cancellation issue. A reusable caller's status is
aggregated from its children, so cancellation should processes a
caller's descendants deepest-first.
---------
Signed-off-by: Zettat123 <zettat123@gmail.com >
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: bircni <bircni@icloud.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-06-08 06:39:06 +00:00
Giteabot
1e9ea9c8f5
fix(deps): update npm dependencies ( #38029 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [@primer/octicons](https://primer.style/octicons )
([source](https://redirect.github.com/primer/octicons )) | [`19.27.0` →
`19.28.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.27.0/19.28.0 )
|
|
|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser ))
| [`8.60.0` →
`8.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.0/8.60.1 )
|
|
|
|
[@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest )
| [`1.6.18` →
`1.6.19`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.18/1.6.19 )
|
|
|
| [eslint](https://eslint.org )
([source](https://redirect.github.com/eslint/eslint )) | [`10.4.0` →
`10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1 ) |
|
|
|
[eslint-import-resolver-typescript](https://redirect.github.com/import-js/eslint-import-resolver-typescript )
| [`4.4.4` →
`4.4.5`](https://renovatebot.com/diffs/npm/eslint-import-resolver-typescript/4.4.4/4.4.5 )
|
|
|
|
[eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/ )
([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css ))
| [`3.1.0` →
`3.1.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1 )
|
|
|
| [js-yaml](https://redirect.github.com/nodeca/js-yaml ) | [`4.1.1` →
`4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0 ) |
|
|
| [pnpm](https://pnpm.io )
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm )) |
[`11.4.0` →
`11.5.1`](https://renovatebot.com/diffs/npm/pnpm/11.4.0/11.5.1 ) |
|
|
|
[rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin )
| [`3.0.8` →
`3.0.9`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.8/3.0.9 )
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint ))
| [`8.60.0` →
`8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1 )
|
|
|
| [updates](https://redirect.github.com/silverwind/updates ) | [`17.17.2`
→ `17.17.3`](https://renovatebot.com/diffs/npm/updates/17.17.2/17.17.3 )
|
|
|
| [vite](https://vite.dev )
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite ))
| [`8.0.14` →
`8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16 ) |
|
|
| [vitest](https://vitest.dev )
([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest ))
| [`4.1.7` →
`4.1.8`](https://renovatebot.com/diffs/npm/vitest/4.1.7/4.1.8 ) |
|
|
| [vue-tsc](https://redirect.github.com/vuejs/language-tools )
([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc ))
| [`3.3.2` →
`3.3.3`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.2/3.3.3 ) |
|
|
---
### Release Notes
<details>
<summary>primer/octicons (@​primer/octicons)</summary>
###
[`v19.28.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19280 )
[Compare
Source](https://redirect.github.com/primer/octicons/compare/v19.27.0...v19.28.0 )
##### Minor Changes
- [#​1208](https://redirect.github.com/primer/octicons/pull/1208 )
[`eddab3ff`](eddab3ff19https://redirect.github.com/dylanatsmith )!
- Fix vscode icon: update 16px, add 24px, remove 32px and 48px
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8601-2026-06-01 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1 )
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>vitest-dev/eslint-plugin-vitest
(@​vitest/eslint-plugin)</summary>
###
[`v1.6.19`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.19 )
[Compare
Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19 )
*No significant changes*
##### [View changes on
GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.18...v1.6.19 )
</details>
<details>
<summary>eslint/eslint (eslint)</summary>
###
[`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1 )
[Compare
Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1 )
#### Bug Fixes
-
[`e557467`](e557467db7https://redirect.github.com/eslint/eslint/issues/20930 ))
(Francesco Trotta)
-
[`d4ce898`](d4ce898796https://redirect.github.com/eslint/eslint/issues/20917 ))
(Minh Vu)
-
[`f4f3507`](f4f3507460https://redirect.github.com/eslint/eslint/issues/20916 ))
(kuldeep kumar)
-
[`c5bc78b`](c5bc78b37ehttps://redirect.github.com/eslint/eslint/issues/20655 ))
(Tanuj Kanti)
-
[`27538c0`](27538c01f5https://redirect.github.com/eslint/eslint/issues/20853 ))
(Pixel998)
#### Documentation
-
[`61b0add`](61b0add61fhttps://redirect.github.com/eslint/eslint/issues/20921 ))
(Tanuj Kanti)
-
[`305d5b9`](305d5b91aehttps://redirect.github.com/eslint/eslint/issues/20911 ))
(Tanuj Kanti)
-
[`49b0202`](49b0202d01https://redirect.github.com/eslint/eslint/issues/20901 ))
(Tanuj Kanti)
-
[`9067f94`](9067f9492ehttps://redirect.github.com/eslint/eslint/issues/20893 ))
(Milos Djermanovic)
-
[`c91b041`](c91b0417e3e349265cb3https://redirect.github.com/eslint/eslint/issues/20885 ))
(Milos Djermanovic)
#### Chores
-
[`b0e466b`](b0e466b6abhttps://redirect.github.com/eslint/eslint/issues/20924 ))
(Tanuj Kanti)
-
[`f78838b`](f78838bc4chttps://redirect.github.com/eslint/eslint/issues/20904 ))
(Pixel998)
-
[`1daa4bd`](1daa4bd734https://redirect.github.com/eslint/eslint/issues/20922 ))
(Francesco Trotta)
-
[`002942c`](002942ce98https://redirect.github.com/eslint/eslint/issues/20919 ))
(Arpit Jain)
-
[`64bca24`](64bca24e7bhttps://redirect.github.com/eslint/eslint/issues/20912 ))
(ESLint Bot)
-
[`6d7c832`](6d7c832950https://redirect.github.com/eslint/eslint/issues/20908 ))
(Pixel998)
-
[`b2c8638`](b2c8638216https://redirect.github.com/eslint/eslint/issues/20889 ))
(dependabot\[bot])
-
[`a9b8d7f`](a9b8d7f74chttps://redirect.github.com/eslint/eslint/issues/20881 ))
(sethamus)
-
[`b702ead`](b702ead5e1https://redirect.github.com/eslint/eslint/issues/20884 ))
(Pixel998)
-
[`507f60e`](507f60e9a7https://redirect.github.com/eslint/eslint/issues/20882 ))
(ESLint Bot)
-
[`92f5c5b`](92f5c5bb6bhttps://redirect.github.com/eslint/eslint/issues/20878 ))
(kuldeep kumar)
-
[`df32108`](df321080afhttps://redirect.github.com/eslint/markdown )
and typescript-eslint ecosystem tests
([#​20837](https://redirect.github.com/eslint/eslint/issues/20837 ))
(sethamus)
-
[`327f91d`](327f91d36ahttps://redirect.github.com/eslint/eslint/issues/20876 ))
(Kirk Waiblinger)
-
[`f0dc4bd`](f0dc4bd893https://redirect.github.com/eslint/eslint/issues/20877 ))
(Milos Djermanovic)
-
[`0f4bd25`](0f4bd257a6https://redirect.github.com/eslint/eslint/issues/20873 ))
(Copilot)
</details>
<details>
<summary>import-js/eslint-import-resolver-typescript
(eslint-import-resolver-typescript)</summary>
###
[`v4.4.5`](https://redirect.github.com/import-js/eslint-import-resolver-typescript/blob/HEAD/CHANGELOG.md#445 )
[Compare
Source](https://redirect.github.com/import-js/eslint-import-resolver-typescript/compare/v4.4.4...v4.4.5 )
##### Patch Changes
-
[#​473](https://redirect.github.com/import-js/eslint-import-resolver-typescript/pull/473 )
[`32c61ab`](32c61abccfhttps://redirect.github.com/leey0818 )! - fix:
check tsconfig matching before using resolver
</details>
<details>
<summary>future-architect/eslint-plugin-vue-scoped-css
(eslint-plugin-vue-scoped-css)</summary>
###
[`v3.1.1`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#311 )
[Compare
Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.1.0...v3.1.1 )
##### Patch Changes
- Fix false positives in `vue-scoped-css/require-selector-used-inside`
for selectors that start with ignored pseudo-classes such as
`:has(...)`.
([#​496](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/496 ))
</details>
<details>
<summary>nodeca/js-yaml (js-yaml)</summary>
###
[`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01 )
[Compare
Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9 )
##### Added
- Added `docs/safety.md` with notes about processing untrusted YAML.
- Added `maxDepth` (100) loader option. Not a problem, but gives a
better
exception instead of RangeError on stack overflow.
- Added `maxMergeSeqLength` (20) loader option. Not a problem after
`merge` fix,
but an additional restriction for safety.
- Added sourcemaps to `dist/` builds.
##### Changed
- Stop resolving numbers with underscores as numeric scalars,
[#​627](https://redirect.github.com/nodeca/js-yaml/issues/627 ).
- Switched dev toolchains to Vite / neostandard.
- Updated demo.
- Reorganized tests.
- `dist/` files are no longer kept in the repository.
##### Fixed
- Fix parsing of properties on the first implicit block mapping key,
[#​62](https://redirect.github.com/nodeca/js-yaml/issues/62 ).
- Fix trailing whitespace handling when folding flow scalar lines,
[#​307](https://redirect.github.com/nodeca/js-yaml/issues/307 ).
- Reject top-level block scalars without content indentation,
[#​280](https://redirect.github.com/nodeca/js-yaml/issues/280 ).
- Ensure numbers survive round-trip,
[#​737](https://redirect.github.com/nodeca/js-yaml/issues/737 ).
- Fix test coverage for issue
[#​221](https://redirect.github.com/nodeca/js-yaml/issues/221 ).
- Fix flow scalar trailing whitespace folding,
[#​307](https://redirect.github.com/nodeca/js-yaml/issues/307 ).
- Fix digits in YAML named tag handles.
##### Security
- Fix potential DoS via quadratic complexity in merge - deduplicate
repeated
elements (makes sense for malformed files > 10K).
</details>
<details>
<summary>pnpm/pnpm (pnpm)</summary>
###
[`v11.5.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1151 )
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.5.0...v11.5.1 )
##### Patch Changes
- Improve `pnpm audit` performance by pruning non-vulnerable lockfile
subtrees and stopping path enumeration once vulnerable findings reach
the path cap.
- Avoid crashing when the workspace state cache is partially written or
malformed.
- Set `npm_config_user_agent` for root lifecycle scripts during headless
installs.
- Preserve the `integrity` field of a remote (non-registry) tarball
dependency when its lockfile entry is rebuilt. Re-resolving such a
dependency without re-fetching it (for example via `pnpm update`, or
when another dependency changes) produced a resolution with no integrity
— URL/tarball resolvers only learn the integrity after the tarball is
downloaded — so the previously recorded integrity was dropped, making
later installs fail with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`
[#​12067](https://redirect.github.com/pnpm/pnpm/issues/12067 ).
- Normalize a string `repository` field into the `{ type, url }` object
form when creating the publish manifest, matching npm's behavior. Some
registries (e.g. Gitea/Codeberg) reject a string `repository` with a 500
Internal Server Error during `pnpm publish`
[#​12099](https://redirect.github.com/pnpm/pnpm/issues/12099 ).
- Preserve compatible optional peer versions already present in the
lockfile when resolving dependencies.
- Fixed inconsistent resolution of a peer dependency that is shared
through a diamond. When a package peer-depends on both another package
and one of that package's own peer dependencies (for example
`@typescript-eslint/eslint-plugin` peer-depends on both
`@typescript-eslint/parser` and `typescript`, and
`@typescript-eslint/parser` peer-depends on `typescript`), pnpm no
longer reuses a hoisted instance of the shared peer that was resolved
against a different version
[#​12079](https://redirect.github.com/pnpm/pnpm/issues/12079 ).
###
[`v11.5.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1150 )
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.4.0...v11.5.0 )
##### Minor Changes
- Added a new `hoistingLimits` setting for `nodeLinker: hoisted`
installs, mirroring yarn's `nmHoistingLimits`. It accepts `none` (the
default — hoist as far as possible), `workspaces` (hoist only as far as
each workspace package), or `dependencies` (hoist only up to each
workspace package's direct dependencies). Originally proposed in
[#​6468](https://redirect.github.com/pnpm/pnpm/pull/6468 ), closing
[#​6457](https://redirect.github.com/pnpm/pnpm/issues/6457 ).
- Replaced `enquirer` with `@inquirer/prompts` for all interactive
prompts. Fixes the `update -i` scrolling overflow bug where long choice
lists were clipped in the terminal
[#​6643](https://redirect.github.com/pnpm/pnpm/issues/6643 ).
**User-facing changes:**
- `pnpm update -i` / `pnpm update -i --latest`: Scrolling now works
correctly when many packages are available; the new library uses
visual-line-aware pagination via `usePagination`
- `pnpm audit --fix -i`: Same scrolling fix for vulnerability selection
- `pnpm approve-builds`: Interactive build approval prompts updated
- `pnpm patch`: Version selection and "apply to all" prompts updated
- `pnpm patch-remove`: Patch removal selection updated
- `pnpm publish`: Branch confirmation prompt updated
- `pnpm login`: Credential prompts updated
- `pnpm run` / `pnpm exec` (with `verifyDepsBeforeRun=prompt`):
Confirmation prompt updated
Vim-style `j`/`k` keys still work for up/down navigation in all
interactive prompts.
**Internal:** The `OtpEnquirer` and `LoginEnquirer` DI interfaces
changed from `{ prompt }` to `{ input }` / `{ input, password }`
respectively. Plugins or custom builds that inject their own enquirer
mock will need to update.
- Staged publishes are now recognized in the trust scale. When a package
version's registry metadata carries an `approver` field, it is treated
as the strongest trust evidence (ranked above trusted publishers and
provenance attestations), since staged publishes require 2FA publish
approvals. This prevents false-positive trust downgrade errors when
moving from a staged publish to a lower trust level
[#​11887](https://redirect.github.com/pnpm/pnpm/issues/11887 ).
##### Patch Changes
- Fix pnpm hanging during peer resolution when an aliased install pulls
in transitive packages with mutual peer cycles at different depths in
the dependency tree (for example, `pnpm i nuxt@npm:nuxt-nightly@5x`).
Cycles whose members hit the `findHit` cache instead of running their
own `calculateDepPath` are now short-circuited by sibling resolutions at
the level where the cycle is detected, so the cached path promises no
longer deadlock.
[#​11999](https://redirect.github.com/pnpm/pnpm/issues/11999 ).
- Fix `pnpm dist-tag add` and `pnpm dist-tag rm` against npmjs.org
failing without `--otp` with `[ERR_PNPM_UNAUTHORIZED] You must be logged
in to set dist-tag … "You must provide a one-time pass. Upgrade your
client to npm@latest in order to use 2FA."`. pnpm now sends
`npm-auth-type: web` on dist-tag writes and surfaces the resulting OTP
challenge through the existing browser-based 2FA flow (the same
`withOtpHandling` helper used by `pnpm publish`), so the browser opens,
the user authenticates, and the dist-tag is set on retry. `--otp=<code>`
continues to work via the classic flow.
- Fix `minimumReleaseAgeExclude` handling in npm resolution fast paths
so excluded packages do not get pinned to stale versions. Excludes are
honored consistently during `publishedBy` metadata selection and
cache-mtime shortcuts.
- Fix the `integrity` field being dropped from the lockfile entry of a
remote (non-registry) https-tarball dependency when an unrelated package
is installed afterwards. URL/tarball resolvers do not return an
integrity (it is only known after the tarball is downloaded), so when
such a dependency was reused from the lockfile without being re-fetched,
its integrity was lost. It is now carried over from the existing
resolution. With pnpm's lockfile-integrity hardening, the missing
integrity made subsequent `--frozen-lockfile` installs fail with
`ERR_PNPM_MISSING_TARBALL_INTEGRITY`.
[#​12001](https://redirect.github.com/pnpm/pnpm/issues/12001 ).
- Skip dependency re-resolution when `pnpm-lock.yaml` is missing but
`node_modules/.pnpm/lock.yaml` exists and still satisfies the manifest.
`pnpm install` now reuses the materialized snapshot to regenerate
`pnpm-lock.yaml` instead of walking the registry to rebuild it from
scratch, turning the cache+node\_modules variation into a near-no-op for
users who deleted the lockfile but kept the install
[#​11993](https://redirect.github.com/pnpm/pnpm/issues/11993 ).
`--frozen-lockfile` still refuses to proceed when `pnpm-lock.yaml` is
absent — the regenerated lockfile must be committed, so failing loudly
is the correct behavior for CI.
</details>
<details>
<summary>silverwind/rolldown-license-plugin
(rolldown-license-plugin)</summary>
###
[`v3.0.9`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.9 )
[Compare
Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.8...3.0.9 )
- update deps (silverwind)
- make: collapse patch/minor/major into one rule (silverwind)
- simplify generateBundle: pair dir+raw, rename shadow, inline
single-use const (silverwind)
- make update a combination target, split out update-js (silverwind)
- add update-actions make target (silverwind)
- remove authorship attribution rule from AGENTS.md (silverwind)
- docs: use defineConfig in README usage example (silverwind)
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(typescript-eslint)</summary>
###
[`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1 )
This was a version bump only for typescript-eslint to align it with
other projects, there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>silverwind/updates (updates)</summary>
###
[`v17.17.3`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.3 )
[Compare
Source](https://redirect.github.com/silverwind/updates/compare/17.17.2...17.17.3 )
- fix prerelease drop in updateVersionRange and scope regex (silverwind)
- fix 1.2.x ranges, docker tag corruption, and per-file cooldown
(silverwind)
- fix go +incompatible, cargo inline-table, and prerelease selection
(silverwind)
- fix --pin range parsing, url tag deps, and -s flag docs (silverwind)
- make update a combination target, split out update-js (silverwind)
- add update-actions make target (silverwind)
- remove authorship attribution rule from AGENTS.md (silverwind)
</details>
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v8.0.16`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small )
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.15...v8.0.16 )
##### Bug Fixes
- **deps:** reject UNC paths for launch-editor-middleware
([#​22571](https://redirect.github.com/vitejs/vite/issues/22571 ))
([50b9512](50b951225bhttps://redirect.github.com/vitejs/vite/issues/22572 ))
([dc245c7](dc245c71e5https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small )
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.14...v8.0.15 )
##### Features
- send 408 on request timeout
([#​22476](https://redirect.github.com/vitejs/vite/issues/22476 ))
([c85c9ee](c85c9eeb9ahttps://redirect.github.com/vitejs/vite/issues/22538 ))
([646dbed](646dbedd28https://redirect.github.com/vitejs/vite/issues/22488 ))
([85a0eff](85a0eff1c8https://redirect.github.com/vitejs/vite/issues/22511 ))
([2686d7d](2686d7d0b7https://redirect.github.com/vitejs/vite/issues/21762 ))
([47c4213](47c4213f13https://redirect.github.com/vitejs/vite/issues/22497 ))
([5c8e98f](5c8e98f8b5https://redirect.github.com/vitejs/vite/issues/22528 ))
([e3cfb9d](e3cfb9deechttps://redirect.github.com/vitejs/vite/issues/22509 ))
([40985f1](40985f1c09https://redirect.github.com/vitejs/vite/issues/22566 ))
([3052a67](3052a67d93https://redirect.github.com/vitejs/vite/issues/22562 ))
([6978a9c](6978a9ceb9https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.8 )
[Compare
Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8 )
##### 🐞 Bug Fixes
- **browser**:
- Disable client `cdp` API when `allowWrite/allowExec: false` \[backport
to v4] - by [@​hi-ogawa](https://redirect.github.com/hi-ogawa )
and **Codex** in
[#​10450](https://redirect.github.com/vitest-dev/vitest/issues/10450 )
[<samp>(e4067)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e4067b3b1 )
- Remove orphaned Playwright route when same module is mocked via
multiple ids \[backport to v4] - by
[@​toxik](https://redirect.github.com/toxik ) and
[@​Zelys-DFKH](https://redirect.github.com/Zelys-DFKH ) in
[#​10474](https://redirect.github.com/vitest-dev/vitest/issues/10474 )
[<samp>(675b4)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/675b4343f )
##### [View changes on
GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8 )
</details>
<details>
<summary>vuejs/language-tools (vue-tsc)</summary>
###
[`v3.3.3`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#333-2026-05-30 )
[Compare
Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.2...v3.3.3 )
##### vscode
- **fix:** prevent grammar scopes leakage in capitalized tags
([#​6073](https://redirect.github.com/vuejs/language-tools/issues/6073 ))
- Thanks to [@​KazariEX](https://redirect.github.com/KazariEX )!
- **fix:** preserve TS auto imports behavior in Vue files
([#​6072](https://redirect.github.com/vuejs/language-tools/issues/6072 ))
- Thanks to [@​KazariEX](https://redirect.github.com/KazariEX )!
##### workspace
- **fix:** read PR title from env in `auto-version` workflow to prevent
injection
([#​6074](https://redirect.github.com/vuejs/language-tools/issues/6074 ))
- Thanks to
[@​arpitjain099](https://redirect.github.com/arpitjain099 )!
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: bircni <bircni@icloud.com >
2026-06-08 06:03:55 +00:00
Giteabot
6dcae57b54
chore(deps): update action dependencies ( #38027 )
2026-06-08 07:40:35 +02:00
bircni
1c289df6eb
enhance: Adjust Workflow Graph styling ( #37497 )
...
- Fix workflow dependency graph overflow by making the graph container
scrollable (no more clipped DAGs; addresses #37493 ).
- Improve Actions job list readability by keeping durations
fixed-width/right-aligned so long times don’t squeeze job names.
- Make workflow graph layout more intuitive by vertically centering
shorter columns to reduce misleading “looks like it depends on”
alignments (addresses #37395 ).
### Screenshot
<img width="966" height="439"
src="https://github.com/user-attachments/assets/c180c5a2-4f56-4287-bcaa-f2735ba72949 "
/>
<img width="949" height="559"
src="https://github.com/user-attachments/assets/a383511d-a962-4920-b792-69f556847eff "
/>
Fixes #37493
Fixes #37395
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-07 16:45:20 +00:00
bircni
ea35af1b68
fix: bound CODEOWNERS regex match time ( #38011 )
...
User-supplied CODEOWNERS patterns were compiled without a match timeout,
so a crafted pattern (e.g. (a+)+) against a crafted file path could
backtrack for tens of seconds inside the PR creation transaction and
exhaust the database connection pool. Set MatchTimeout on each compiled
rule; the caller already treats match errors as non-matches.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-07 15:30:18 +00:00
wxiaoguang
e2fbfc8730
fix: various dropdown problems ( #38020 )
...
1. remove legacy onResponseKeepSelectedItem, refactor the code to
dropdown.js
2. make dropdown correctly handle "single selection + remote query + filter"
* fix #38018
3. fix incorrect "transition" class usage for the dropdown dividers
2026-06-07 10:33:16 +00:00
wxiaoguang
9bbea90bfe
fix: pgsql lint ( #38022 )
2026-06-07 18:28:17 +08:00
Copilot
5fe4f962e8
refactor(api): clarify APIError message usage and fix legacy lint error ( #38012 )
...
Avoid unclear & fragile "any" tricks, fix various abuses
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-07 06:19:39 +00:00
bircni
c43eb7c33a
fix(auth): do not auto-reactivate disabled users on OAuth2 callback ( #38009 )
...
The OAuth2 sign-in callback unconditionally set IsActive=true on the
local user row whenever the IdP authenticated them, silently undoing an
administrator's "Disable Account" action and granting the user a fresh
session in the same response. Treat the local IsActive flag as an
authoritative admin override: inactive users get a session and are
routed through the existing activate / prohibit-login pages by
verifyAuthWithOptions, matching the local-credentials sign-in path.
Adds an integration regression test that disables a linked local user
and asserts the row stays IsActive=false after a full OIDC callback.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-06 22:07:47 +00:00
bircni
42513398c0
fix(lfs): reject unknown SSH LFS sub-verbs to prevent auth bypass ( #38008 )
...
An authenticated SSH user could pass a malformed sub-verb (e.g.
`git-lfs-authenticate <repo> badverb`) so getAccessMode falls through to
AccessModeNone (0). The permission check in routers/private/serv.go then
evaluates `userMode < 0` which is always false, granting a valid LFS JWT
for any private repository. The HTTP LFS handler only validates the Op
claim on writes, so the token works for downloads.
Validate the sub-verb in runServ before calling getAccessMode and fail
fast for anything other than upload/download.
2026-06-06 17:44:56 +02:00
Sandro
743bbaa9c2
fix: refactor git error handling and make archive streaming handle non-existing commit id ( #38007 )
...
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-06 11:06:08 +00:00
wxiaoguang
e88650cfcf
chore: fix various layout problems ( #37983 )
...
Fix various misaligments, fix space between list item bar items, remove
deadcode (milestone dashboard)
2026-06-06 09:24:03 +00:00
bircni
4088d7e241
fix(ui): keep actions run title intact when subject contains an issue ref ( #38005 )
2026-06-06 11:00:14 +02:00
bircni
3659b5acc2
ci(workflows): add AgentScan workflow to flag possible AI-assisted PRs ( #37962 )
...
This PR adds an automated AgentScan workflow to help detect and handle
pull requests that appear to be created or authored primarily by
automated agents.
- If a PR is classified as `automation` or community-flagged, the
workflow:
- Adds the `possible bot` label,
- Posts a policy comment linking to the repository AI Contribution
Policy (`CONTRIBUTING.md#ai-contribution-policy`) and listing required
disclosures and checks,
- Optionally closes the PR if classification indicates an
automated/unwelcome submission.
2026-06-05 23:33:40 +02:00
bircni
aa63d1583d
fix(actions): return 404 when job log blob is missing ( #38003 )
...
- When the `action_task` row exists but the underlying dbfs/storage blob
is gone, `OpenLogs` returns a wrapped `os.ErrNotExist` which surfaces as
a 500 on the job logs endpoints.
- Translate it to the same `util.NewNotExistErrorf` shape already used
for unknown job ids / expired logs, so both the API
(`/api/v1/repos/.../actions/jobs/<id>/logs`) and the web download
handler return a clean 404 instead.
Fixes #37990 .
2026-06-05 20:10:25 +02:00
GiteaBot
7a26d5a2ae
[skip ci] Updated translations via Crowdin
2026-06-05 01:18:00 +00:00
wxiaoguang
dac41a124f
fix!: raise git required version to 2.13 ( #37996 )
...
format `lstrip=2` is only supported in git >= 2.13
https://git-scm.com/docs/git-for-each-ref/2.13.7
ref: #37994
Co-authored-by: Giteabot <teabot@gitea.io >
2026-06-04 13:56:16 +00:00
Alexey Ivanov
aaf4b149fa
chore(deps): upgrade zstd seekable package ( #37988 )
...
Upgrade `github.com/SaveTheRbtz/zstd-seekable-format-go/pkg` from
`v0.8.3` to `v0.10.0`:
https://github.com/SaveTheRbtz/zstd-seekable-format-go/releases/tag/pkg%2Fv0.10.0
This keeps Gitea's seekable zstd wrapper on the stable v0.10 API while
preserving the existing public `modules/zstd` API.
API migration:
- update `SeekableWriter` and `SeekableReader` internals for the
concrete `*seekable.Writer` and `*seekable.Reader` types introduced by
SaveTheRbtz/zstd-seekable-format-go#264
- update generated dependency metadata after `go mod tidy` removed the
now-unused `github.com/google/btree` transitive dependency
- no Gitea call sites needed changes because `modules/zstd` still
exposes the same constructors and interfaces
Validation:
- `go test ./modules/zstd`
- `make --always-make checks-backend`
---------
Co-authored-by: Giteabot <teabot@gitea.io >
2026-06-04 13:38:56 +00:00
Harsh Mahajan
792fa5eeba
feat(api): add q parameter to list branches API for server-side filtering ( #37982 )
...
The GET /repos/{owner}/{repo}/branches endpoint currently has no way to
filter branches by name server-side, forcing API consumers to paginate
through all branches and filter client-side.
The UI already supports branch search (added in
[#27055 ](https://github.com/go-gitea/gitea/pull/27055 )). The underlying
DB layer has a Keyword field on FindBranchOptions in
models/git/branch_list.go that does a LIKE %keyword% SQL filter, it just
wasn't wired up to the API handler.
This PR exposes a ?q= query parameter on the endpoint that maps to
FindBranchOptions.Keyword.
Example:
```GET /repos/owner/repo/branches?q=feature ```
Closes #37981
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-03 16:21:48 -07:00
Thomas Sayen
b2748d7654
feat(ui): add "follow rename" to file commit history list ( #34994 )
...
Fix #28253
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-03 17:40:38 +00:00
TheFox0x7
735e940a61
fix(oauth2): not respecting claims before second login ( #37874 )
...
fixes defect where claims where only applies on login but not during
account linking making only the second login take them into account
fixes: https://github.com/go-gitea/gitea/issues/32566
2026-06-03 16:50:47 +00:00
Dawid Góra
623bb81bb9
fix(releases): generate notes for initial tag ( #37697 )
...
Fixes https://github.com/go-gitea/gitea/issues/37286
Automatic release notes for the first release in a repository were empty
when there was no previous tag.
Before this change, the release notes generator used the tag name to
build the changelog link, but reused that state for pull request
collection. When `PreviousTag` was empty, the PR collection logic did
not scan a useful commit range, so merged pull requests were omitted
from the generated notes.
This pull request fixes that by decoupling the internal PR collection
range from the rendered changelog link:
- when a previous tag exists, behavior stays unchanged
- when no previous tag exists, release notes collect merged pull
requests from the full reachable history up to the target tag
- the displayed full changelog link for the first release still uses the
existing `/commits/tag/{tag}` format
Tests were updated to cover:
- generating notes for a repository with no previous tags
- including merged pull requests before the first tag
- preserving existing behavior when a previous tag exists
2026-06-03 16:30:30 +00:00
wxiaoguang
fbaaac9c14
fix: remove "no-transfrom" from the cache-control header ( #37985 )
...
Cloudflare has officially removed the "auto-minify" feature
https://community.cloudflare.com/t/655677 , so we don't need such option
anymore.
Fix #34521
2026-06-04 00:12:02 +08:00
puni9869
79810ba2e3
fix: use committer time where ever possible as default ( #37969 )
...
Fix https://github.com/go-gitea/gitea/issues/37857
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-06-02 15:08:23 +08:00
Giteabot
9619d93e3b
chore(deps): update action dependencies ( #37964 )
...
This PR contains the following updates:
| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
|
[aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials )
| action | patch | `v6.1.1` → `v6.1.2` | `v6.1.3` |
|
[docker/build-push-action](https://redirect.github.com/docker/build-push-action )
| action | minor | `v7.1.0` → `v7.2.0` | |
| [docker/login-action](https://redirect.github.com/docker/login-action )
| action | minor | `v4.1.0` → `v4.2.0` | |
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action )
| action | minor | `v6.0.0` → `v6.1.0` | |
|
[docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action )
| action | minor | `v4.0.0` → `v4.1.0` | |
|
[docker/setup-qemu-action](https://redirect.github.com/docker/setup-qemu-action )
| action | minor | `v4.0.0` → `v4.1.0` | |
| redis | service | digest | `48e78eb` → `e74c9b9` | |
---
### Release Notes
<details>
<summary>aws-actions/configure-aws-credentials
(aws-actions/configure-aws-credentials)</summary>
###
[`v6.1.2`](https://redirect.github.com/aws-actions/configure-aws-credentials/releases/tag/v6.1.2 )
[Compare
Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2 )
##### Bug Fixes
- additional filesystem checks
([#​1799](https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799 ))
([c39f282](c39f282697https://redirect.github.com/docker/build-push-action/releases/tag/v7.2.0 )
[Compare
Source](https://redirect.github.com/docker/build-push-action/compare/v7.1.0...v7.2.0 )
- Bump [@​actions/core](https://redirect.github.com/actions/core )
from 3.0.0 to 3.0.1 in
[#​1525](https://redirect.github.com/docker/build-push-action/pull/1525 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.87.0 to 0.90.0 in
[#​1517](https://redirect.github.com/docker/build-push-action/pull/1517 )
- Bump brace-expansion from 2.0.2 to 5.0.6 in
[#​1534](https://redirect.github.com/docker/build-push-action/pull/1534 )
- Bump fast-xml-builder from 1.1.4 to 1.2.0 in
[#​1529](https://redirect.github.com/docker/build-push-action/pull/1529 )
- Bump fast-xml-parser from 5.5.7 to 5.8.0 in
[#​1521](https://redirect.github.com/docker/build-push-action/pull/1521 )
- Bump postcss from 8.5.6 to 8.5.10 in
[#​1526](https://redirect.github.com/docker/build-push-action/pull/1526 )
- Bump tar from 6.2.1 to 7.5.15 in
[#​1533](https://redirect.github.com/docker/build-push-action/pull/1533 )
**Full Changelog**:
<https://github.com/docker/build-push-action/compare/v7.1.0...v7.2.0 >
</details>
<details>
<summary>docker/login-action (docker/login-action)</summary>
###
[`v4.2.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.2.0 )
[Compare
Source](https://redirect.github.com/docker/login-action/compare/v4.1.0...v4.2.0 )
- Bump [@​actions/core](https://redirect.github.com/actions/core )
from 3.0.0 to 3.0.1 in
[#​976](https://redirect.github.com/docker/login-action/pull/976 )
- Bump
[@​aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr )
and
[@​aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public )
to 3.1050.0 in
[#​960](https://redirect.github.com/docker/login-action/pull/960 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.86.0 to 0.90.0 in
[#​970](https://redirect.github.com/docker/login-action/pull/970 )
- Bump brace-expansion from 2.0.1 to 5.0.6 in
[#​993](https://redirect.github.com/docker/login-action/pull/993 )
- Bump fast-xml-builder from 1.1.4 to 1.2.0 in
[#​985](https://redirect.github.com/docker/login-action/pull/985 )
- Bump fast-xml-parser from 5.3.6 to 5.8.0 in
[#​963](https://redirect.github.com/docker/login-action/pull/963 )
- Bump http-proxy-agent and https-proxy-agent to 9.0.0 in
[#​961](https://redirect.github.com/docker/login-action/pull/961 )
- Bump postcss from 8.5.6 to 8.5.10 in
[#​979](https://redirect.github.com/docker/login-action/pull/979 )
- Bump tar from 6.2.1 to 7.5.15 in
[#​991](https://redirect.github.com/docker/login-action/pull/991 )
- Bump vite from 7.3.1 to 7.3.3 in
[#​986](https://redirect.github.com/docker/login-action/pull/986 )
**Full Changelog**:
<https://github.com/docker/login-action/compare/v4.1.0...v4.2.0 >
</details>
<details>
<summary>docker/metadata-action (docker/metadata-action)</summary>
###
[`v6.1.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.1.0 )
[Compare
Source](https://redirect.github.com/docker/metadata-action/compare/v6...v6.1.0 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.79.0 to 0.90.0 in
[#​613](https://redirect.github.com/docker/metadata-action/pull/613 )
- Bump brace-expansion from 1.1.12 to 5.0.6 in
[#​658](https://redirect.github.com/docker/metadata-action/pull/658 )
[#​630](https://redirect.github.com/docker/metadata-action/pull/630 )
- Bump csv-parse from 6.1.0 to 6.2.1 in
[#​617](https://redirect.github.com/docker/metadata-action/pull/617 )
- Bump fast-xml-parser from 5.4.2 to 5.8.0 in
[#​620](https://redirect.github.com/docker/metadata-action/pull/620 )
- Bump flatted from 3.3.3 to 3.4.2 in
[#​623](https://redirect.github.com/docker/metadata-action/pull/623 )
- Bump glob from 10.3.15 to 10.5.0 in
[#​621](https://redirect.github.com/docker/metadata-action/pull/621 )
- Bump handlebars from 4.7.8 to 4.7.9 in
[#​629](https://redirect.github.com/docker/metadata-action/pull/629 )
- Bump lodash from 4.17.23 to 4.18.1 in
[#​639](https://redirect.github.com/docker/metadata-action/pull/639 )
- Bump moment-timezone from 0.6.0 to 0.6.1 in
[#​619](https://redirect.github.com/docker/metadata-action/pull/619 )
- Bump picomatch from 4.0.3 to 4.0.4 in
[#​626](https://redirect.github.com/docker/metadata-action/pull/626 )
- Bump postcss from 8.5.6 to 8.5.10 in
[#​649](https://redirect.github.com/docker/metadata-action/pull/649 )
- Bump tar from 6.2.1 to 7.5.15 in
[#​657](https://redirect.github.com/docker/metadata-action/pull/657 )
- Bump undici from 6.23.0 to 6.25.0 in
[#​614](https://redirect.github.com/docker/metadata-action/pull/614 )
- Bump vite from 7.3.1 to 7.3.2 in
[#​637](https://redirect.github.com/docker/metadata-action/pull/637 )
**Full Changelog**:
<https://github.com/docker/metadata-action/compare/v6.0.0...v6.1.0 >
</details>
<details>
<summary>docker/setup-buildx-action
(docker/setup-buildx-action)</summary>
###
[`v4.1.0`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v4.1.0 )
[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v4...v4.1.0 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.79.0 to 0.90.0 in
[#​489](https://redirect.github.com/docker/setup-buildx-action/pull/489 )
- Bump brace-expansion from 1.1.12 to 5.0.6 in
[#​547](https://redirect.github.com/docker/setup-buildx-action/pull/547 )
[#​508](https://redirect.github.com/docker/setup-buildx-action/pull/508 )
- Bump fast-xml-builder from 1.0.0 to 1.2.0 in
[#​540](https://redirect.github.com/docker/setup-buildx-action/pull/540 )
- Bump fast-xml-parser from 5.4.2 to 5.8.0 in
[#​496](https://redirect.github.com/docker/setup-buildx-action/pull/496 )
- Bump flatted from 3.3.3 to 3.4.2 in
[#​499](https://redirect.github.com/docker/setup-buildx-action/pull/499 )
- Bump glob from 10.3.12 to 13.0.6 in
[#​495](https://redirect.github.com/docker/setup-buildx-action/pull/495 )
- Bump handlebars from 4.7.8 to 4.7.9 in
[#​504](https://redirect.github.com/docker/setup-buildx-action/pull/504 )
- Bump lodash from 4.17.23 to 4.18.1 in
[#​523](https://redirect.github.com/docker/setup-buildx-action/pull/523 )
- Bump picomatch from 4.0.3 to 4.0.4 in
[#​503](https://redirect.github.com/docker/setup-buildx-action/pull/503 )
- Bump postcss from 8.5.6 to 8.5.10 in
[#​537](https://redirect.github.com/docker/setup-buildx-action/pull/537 )
- Bump tar from 6.2.1 to 7.5.15 in
[#​545](https://redirect.github.com/docker/setup-buildx-action/pull/545 )
- Bump undici from 6.23.0 to 6.25.0 in
[#​492](https://redirect.github.com/docker/setup-buildx-action/pull/492 )
- Bump vite from 7.3.1 to 7.3.2 in
[#​520](https://redirect.github.com/docker/setup-buildx-action/pull/520 )
**Full Changelog**:
<https://github.com/docker/setup-buildx-action/compare/v4.0.0...v4.1.0 >
</details>
<details>
<summary>docker/setup-qemu-action (docker/setup-qemu-action)</summary>
###
[`v4.1.0`](https://redirect.github.com/docker/setup-qemu-action/releases/tag/v4.1.0 )
[Compare
Source](https://redirect.github.com/docker/setup-qemu-action/compare/v4...v4.1.0 )
- Add `reset` input to uninstall current emulators by
[@​crazy-max](https://redirect.github.com/crazy-max ) in
[#​21](https://redirect.github.com/docker/setup-qemu-action/pull/21 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.77.0 to 0.91.0 in
[#​250](https://redirect.github.com/docker/setup-qemu-action/pull/250 )
[#​247](https://redirect.github.com/docker/setup-qemu-action/pull/247 )
- Bump brace-expansion from 1.1.12 to 1.1.15 in
[#​265](https://redirect.github.com/docker/setup-qemu-action/pull/265 )
- Bump fast-xml-builder from 1.0.0 to 1.2.0 in
[#​286](https://redirect.github.com/docker/setup-qemu-action/pull/286 )
- Bump fast-xml-parser from 5.4.2 to 5.8.0 in
[#​255](https://redirect.github.com/docker/setup-qemu-action/pull/255 )
- Bump flatted from 3.3.3 to 3.4.2 in
[#​257](https://redirect.github.com/docker/setup-qemu-action/pull/257 )
- Bump glob from 10.3.15 to 10.5.0 in
[#​254](https://redirect.github.com/docker/setup-qemu-action/pull/254 )
- Bump handlebars from 4.7.8 to 4.7.9 in
[#​262](https://redirect.github.com/docker/setup-qemu-action/pull/262 )
- Bump lodash from 4.17.23 to 4.18.1 in
[#​273](https://redirect.github.com/docker/setup-qemu-action/pull/273 )
- Bump postcss from 8.5.6 to 8.5.10 in
[#​285](https://redirect.github.com/docker/setup-qemu-action/pull/285 )
- Bump tar from 6.2.1 to 7.5.15 in
[#​287](https://redirect.github.com/docker/setup-qemu-action/pull/287 )
- Bump tmp from 0.2.5 to 0.2.6 in
[#​291](https://redirect.github.com/docker/setup-qemu-action/pull/291 )
- Bump undici from 6.23.0 to 6.26.0 in
[#​251](https://redirect.github.com/docker/setup-qemu-action/pull/251 )
- Bump vite from 7.3.1 to 7.3.2 in
[#​271](https://redirect.github.com/docker/setup-qemu-action/pull/271 )
**Full Changelog**:
<https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0 >
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: silverwind <me@silverwind.io >
2026-06-02 05:53:44 +00:00
Giteabot
798578115b
fix(deps): update npm dependencies, remove nolyfill ( #37968 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
|
[@eslint-community/eslint-plugin-eslint-comments](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments )
| [`4.7.1` →
`4.7.2`](https://renovatebot.com/diffs/npm/@eslint-community%2feslint-plugin-eslint-comments/4.7.1/4.7.2 )
|
|
|
| [@primer/octicons](https://primer.style/octicons )
([source](https://redirect.github.com/primer/octicons )) | [`19.26.0` →
`19.27.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.26.0/19.27.0 )
|
|
|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser ))
| [`8.59.4` →
`8.60.0`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.4/8.60.0 )
|
|
|
|
[@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest )
| [`1.6.17` →
`1.6.18`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.17/1.6.18 )
|
|
|
| [dayjs](https://day.js.org )
([source](https://redirect.github.com/iamkun/dayjs )) | [`1.11.20` →
`1.11.21`](https://renovatebot.com/diffs/npm/dayjs/1.11.20/1.11.21 ) |
|
|
| [katex](https://katex.org )
([source](https://redirect.github.com/KaTeX/KaTeX )) | [`0.16.47` →
`0.17.0`](https://renovatebot.com/diffs/npm/katex/0.16.47/0.17.0 ) |
|
|
|
[material-icon-theme](https://redirect.github.com/material-extensions/vscode-material-icon-theme/blob/main/README.md )
([source](https://redirect.github.com/material-extensions/vscode-material-icon-theme ))
| [`5.34.0` →
`5.35.0`](https://renovatebot.com/diffs/npm/material-icon-theme/5.34.0/5.35.0 )
|
|
|
| [pnpm](https://pnpm.io )
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm )) |
[`11.2.1` →
`11.4.0`](https://renovatebot.com/diffs/npm/pnpm/11.2.1/11.4.0 ) |
|
|
|
[rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin )
| [`3.0.7` →
`3.0.8`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.7/3.0.8 )
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint ))
| [`8.59.4` →
`8.60.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.4/8.60.0 )
|
|
|
| [updates](https://redirect.github.com/silverwind/updates ) |
[`17.16.13` →
`17.17.2`](https://renovatebot.com/diffs/npm/updates/17.16.13/17.17.2 ) |
|
|
| [vite](https://vite.dev )
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite ))
| [`8.0.13` →
`8.0.14`](https://renovatebot.com/diffs/npm/vite/8.0.13/8.0.14 ) |
|
|
| [vue](https://vuejs.org/ )
([source](https://redirect.github.com/vuejs/core )) | [`3.5.34` →
`3.5.35`](https://renovatebot.com/diffs/npm/vue/3.5.34/3.5.35 ) |
|
|
| [vue-tsc](https://redirect.github.com/vuejs/language-tools )
([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc ))
| [`3.3.1` →
`3.3.2`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.1/3.3.2 ) |
|
|
---
### Release Notes
<details>
<summary>eslint-community/eslint-plugin-eslint-comments
(@​eslint-community/eslint-plugin-eslint-comments)</summary>
###
[`v4.7.2`](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/releases/tag/v4.7.2 )
[Compare
Source](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/compare/v4.7.1...v4.7.2 )
##### Bug Fixes
- **deps:** pin `modern-monaco` version to 0.4.0
([#​320](https://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/issues/320 ))
([62a2c3a](62a2c3a4eehttps://redirect.github.com/eslint-community/eslint-plugin-eslint-comments/issues/311 ))
([42919d0](42919d06d8https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19270 )
[Compare
Source](https://redirect.github.com/primer/octicons/compare/v19.26.0...v19.27.0 )
##### Minor Changes
- [#​1203](https://redirect.github.com/primer/octicons/pull/1203 )
[`a69618e4`](a69618e4b6https://redirect.github.com/ericwbailey )! -
Add flag icon
##### Patch Changes
- [#​1212](https://redirect.github.com/primer/octicons/pull/1212 )
[`02bd1ef8`](02bd1ef8d1https://redirect.github.com/ericwbailey )! -
remove hardcoded fill from flag icon
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.60.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8600-2026-05-25 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.4...v8.60.0 )
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.0 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>vitest-dev/eslint-plugin-vitest
(@​vitest/eslint-plugin)</summary>
###
[`v1.6.18`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.18 )
[Compare
Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.17...v1.6.18 )
##### 🐞 Bug Fixes
- Correct `requiresTypeChecking` metadata for four rules - by
[@​inglec-arista](https://redirect.github.com/inglec-arista ) in
[#​905](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/905 )
[<samp>(e06a3)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/e06a3dc )
##### [View changes on
GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.17...v1.6.18 )
</details>
<details>
<summary>iamkun/dayjs (dayjs)</summary>
###
[`v1.11.21`](https://redirect.github.com/iamkun/dayjs/blob/HEAD/CHANGELOG.md#11121-2026-05-26 )
[Compare
Source](https://redirect.github.com/iamkun/dayjs/compare/v1.11.20...v1.11.21 )
##### Bug Fixes
- preserve unsupported year tokens in format
([#​3015](https://redirect.github.com/iamkun/dayjs/issues/3015 ))
([#​3016](https://redirect.github.com/iamkun/dayjs/issues/3016 ))
([8fda602](8fda602beahttps://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#0170-2026-05-22 )
[Compare
Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.47...v0.17.0 )
##### Performance Improvements
- simplify `defineFunction` to avoid destructuring, improve typing
([#​4222](https://redirect.github.com/KaTeX/KaTeX/issues/4222 ))
([fb604e6](fb604e6ba6https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.46...v0.16.47 )
(2026-05-16)
##### Bug Fixes
- correct size of `[` big delimiter
([#​4217](https://redirect.github.com/KaTeX/KaTeX/issues/4217 ))
([7ba0027](7ba0027d2fhttps://redirect.github.com/KaTeX/KaTeX/issues/4215 )
####
[0.16.46](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.45...v0.16.46 )
(2026-05-13)
##### Bug Fixes
- preserve math font in some styling commands
([#​4214](https://redirect.github.com/KaTeX/KaTeX/issues/4214 ))
([e9ee046](e9ee0464ddhttps://redirect.github.com/KaTeX/KaTeX/issues/4213 )
####
[0.16.45](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.44...v0.16.45 )
(2026-04-05)
##### Bug Fixes
- wrap vcenter mpadded in mrow for valid MathML
([#​4193](https://redirect.github.com/KaTeX/KaTeX/issues/4193 ))
([ee66b78](ee66b78d24https://redirect.github.com/KaTeX/KaTeX/issues/4078 )
####
[0.16.44](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.43...v0.16.44 )
(2026-03-27)
##### Bug Fixes
- remove extra \jot space at bottom of align/gather/etc.
([#​4184](https://redirect.github.com/KaTeX/KaTeX/issues/4184 ))
([3870ee9](3870ee913ehttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.42...v0.16.43 )
(2026-03-26)
##### Bug Fixes
- use makeEm() consistently to truncate long CSS decimals
([#​4181](https://redirect.github.com/KaTeX/KaTeX/issues/4181 ))
([0967dcc](0967dcc027https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.41...v0.16.42 )
(2026-03-24)
##### Features
- \underbracket and \overbracket
([#​4147](https://redirect.github.com/KaTeX/KaTeX/issues/4147 ))
([5be9abb](5be9abb0b4https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.40...v0.16.41 )
(2026-03-24)
##### Bug Fixes
- \sout in text mode
([#​4173](https://redirect.github.com/KaTeX/KaTeX/issues/4173 ))
([e748578](e748578b63https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.39...v0.16.40 )
(2026-03-20)
##### Bug Fixes
- **css:** specify position: relative for .katex
([#​4170](https://redirect.github.com/KaTeX/KaTeX/issues/4170 ))
([020f0d8](020f0d8956https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.38...v0.16.39 )
(2026-03-19)
##### Bug Fixes
- middle dot in text mode
([#​4169](https://redirect.github.com/KaTeX/KaTeX/issues/4169 ))
([edb45b0](edb45b0b17https://redirect.github.com/KaTeX/KaTeX/issues/3641 )
####
[0.16.38](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.37...v0.16.38 )
(2026-03-08)
##### Bug Fixes
- accent skew mixed with font specifiers
([#​4159](https://redirect.github.com/KaTeX/KaTeX/issues/4159 ))
([aea3375](aea33758d6https://redirect.github.com/KaTeX/KaTeX/issues/4121 )
####
[0.16.37](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.36...v0.16.37 )
(2026-03-06)
##### Bug Fixes
- negative-width `\hphantom` and symmetric `\smash`
([#​4153](https://redirect.github.com/KaTeX/KaTeX/issues/4153 ))
([d4799ca](d4799cae58https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.35...v0.16.36 )
(2026-03-06)
##### Bug Fixes
- contrib esm bloat
([#​4157](https://redirect.github.com/KaTeX/KaTeX/issues/4157 ))
([2bde1ad](2bde1adab2https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.34...v0.16.35 )
(2026-03-05)
##### Bug Fixes
- version number regression
([#​4155](https://redirect.github.com/KaTeX/KaTeX/issues/4155 ))
([db26b73](db26b73380https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.34 )
(2026-03-05)
##### Bug Fixes
- emoji with variation selector
([#​4151](https://redirect.github.com/KaTeX/KaTeX/issues/4151 ))
([c2606e5](c2606e5db9https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.32...v0.16.33 )
(2026-02-23)
##### Bug Fixes
- **scss:** forward variables to fonts module
([#​4146](https://redirect.github.com/KaTeX/KaTeX/issues/4146 ))
([9349a64](9349a64a05https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.31...v0.16.32 )
(2026-02-22)
##### Bug Fixes
- italic separation in \mathnormal
([#​4143](https://redirect.github.com/KaTeX/KaTeX/issues/4143 ))
([71305a0](71305a0514https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.30...v0.16.31 )
(2026-02-22)
##### Bug Fixes
- `\*frac` sizing
([#​4137](https://redirect.github.com/KaTeX/KaTeX/issues/4137 ))
([ef51f18](ef51f18dedhttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.29...v0.16.30 )
(2026-02-22)
##### Bug Fixes
- no line breaks after `\not`
([#​4140](https://redirect.github.com/KaTeX/KaTeX/issues/4140 ))
([2d1ba86](2d1ba86143https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.28...v0.16.29 )
(2026-02-22)
##### Bug Fixes
- `\imath` and other `\html@mathml` macros in arguments
([#​4139](https://redirect.github.com/KaTeX/KaTeX/issues/4139 ))
([a850cce](a850cce7cchttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.27...v0.16.28 )
(2026-01-25)
##### Bug Fixes
- **type:** add missing types definition path to package.json
([#​4125](https://redirect.github.com/KaTeX/KaTeX/issues/4125 ))
([0ef8921](0ef8921d18https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.26...v0.16.27 )
(2025-12-07)
##### Features
- support equals sign and surrounding whitespace in \htmlData attribute
values
([#​4112](https://redirect.github.com/KaTeX/KaTeX/issues/4112 ))
([c77aaec](c77aaec00chttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.25...v0.16.26 )
(2025-12-07)
##### Bug Fixes
- \mathop followed by integral symbol
([6fbad18](6fbad18857https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.24...v0.16.25 )
(2025-10-13)
##### Features
- **css:** provide `katex-swap.css` that uses `font-display: swap`
([#​3940](https://redirect.github.com/KaTeX/KaTeX/issues/3940 ))
([b3f9ce6](b3f9ce691ehttps://redirect.github.com/KaTeX/KaTeX/issues/2242 )
####
[0.16.24](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.23...v0.16.24 )
(2025-10-12)
##### Features
- support hex colors with alpha
([#​4090](https://redirect.github.com/KaTeX/KaTeX/issues/4090 ))
([8c9b306](8c9b306396https://redirect.github.com/KaTeX/KaTeX/issues/4067 )
[#fA6](https://redirect.github.com/KaTeX/KaTeX/issues/fA6 )
[#fA6f1](https://redirect.github.com/KaTeX/KaTeX/issues/fA6f1 )
####
[0.16.23](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.22...v0.16.23 )
(2025-10-03)
##### Bug Fixes
- Support `\def` with arguments via `macros` option
([#​4087](https://redirect.github.com/KaTeX/KaTeX/issues/4087 ))
([80a8158](80a815856ahttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.21...v0.16.22 )
(2025-04-09)
##### Bug Fixes
- \relax in base or exponent of super/subscript
([#​4045](https://redirect.github.com/KaTeX/KaTeX/issues/4045 ))
([1f43c84](1f43c84a17https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21 )
(2025-01-17)
##### Bug Fixes
- escape \htmlData attribute name
([57914ad](57914ad91ehttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.19...v0.16.20 )
(2025-01-12)
##### Bug Fixes
- \providecommand does not overwrite existing macro
([#​4000](https://redirect.github.com/KaTeX/KaTeX/issues/4000 ))
([6d30fe4](6d30fe47b0https://redirect.github.com/KaTeX/KaTeX/issues/3928 )
####
[0.16.19](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.18...v0.16.19 )
(2024-12-29)
##### Bug Fixes
- **types:** improve `strict` function type
([#​4009](https://redirect.github.com/KaTeX/KaTeX/issues/4009 ))
([4228b4e](4228b4eb52https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.17...v0.16.18 )
(2024-12-18)
##### Bug Fixes
- Actually publish TypeScript type definitions
([#​4008](https://redirect.github.com/KaTeX/KaTeX/issues/4008 ))
([629b873](629b87354fhttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.16...v0.16.17 )
(2024-12-17)
##### Bug Fixes
- MathML combines multidigit numbers with sup/subscript, comma
separators, and multicharacter text when outputting to DOM
([#​3999](https://redirect.github.com/KaTeX/KaTeX/issues/3999 ))
([7d79e22](7d79e220f4https://redirect.github.com/KaTeX/KaTeX/issues/3995 )
####
[0.16.16](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.15...v0.16.16 )
(2024-12-17)
##### Features
- ESM exports, TypeScript types
([#​3992](https://redirect.github.com/KaTeX/KaTeX/issues/3992 ))
([ea9c173](ea9c173a0dhttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.14...v0.16.15 )
(2024-12-09)
##### Features
- italic sans-serif in math mode via `\mathsfit` command
([#​3998](https://redirect.github.com/KaTeX/KaTeX/issues/3998 ))
([2218901](22189018b6https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.13...v0.16.14 )
(2024-12-08)
##### Features
- \dddot and \ddddot support
([#​3834](https://redirect.github.com/KaTeX/KaTeX/issues/3834 ))
([bda35cd](bda35cdb0ahttps://redirect.github.com/KaTeX/KaTeX/issues/2744 )
####
[0.16.13](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.12...v0.16.13 )
(2024-12-08)
##### Bug Fixes
- `\vdots` and `\rule` support in text mode
([#​3997](https://redirect.github.com/KaTeX/KaTeX/issues/3997 ))
([0e08352](0e08352623https://redirect.github.com/KaTeX/KaTeX/issues/3990 )
####
[0.16.12](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.11...v0.16.12 )
(2024-12-08)
##### Features
- **css:** configurable margin for display math
([#​3638](https://redirect.github.com/KaTeX/KaTeX/issues/3638 ))
([3405001](3405001225https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.10...v0.16.11 )
(2024-07-02)
##### Features
- add \emph
([#​3963](https://redirect.github.com/KaTeX/KaTeX/issues/3963 ))
([9f34da4](9f34da4b3chttps://redirect.github.com/KaTeX/KaTeX/issues/3566 )
####
[0.16.10](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.9...v0.16.10 )
(2024-03-24)
##### Bug Fixes
- \edef bypassing maxExpand via exponential blowup
([e88b4c3](e88b4c357fc5897fcd1ffc5af64183https://redirect.github.com//datatracker.ietf.org/doc/html/rfc3986/issues/section-3 )
- maxExpand limit with Unicode sub/superscripts
([085e21b](085e21b5dahttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.8...v0.16.9 )
(2023-10-02)
##### Features
- Support bold Fraktur
([#​3777](https://redirect.github.com/KaTeX/KaTeX/issues/3777 ))
([240d5ae240d5aede9https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.7...v0.16.8 )
(2023-06-24)
##### Features
- expose error length and raw error message on ParseError
([#​3820](https://redirect.github.com/KaTeX/KaTeX/issues/3820 ))
([710774a](710774aaebhttps://redirect.github.com/KaTeX/KaTeX/compare/v0.16.6...v0.16.7 )
(2023-04-28)
##### Bug Fixes
- **docs/support\_table.md:** delete redundant "varPsi"
([#​3814](https://redirect.github.com/KaTeX/KaTeX/issues/3814 ))
([33a1b98](33a1b98710https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.5...v0.16.6 )
(2023-04-17)
##### Bug Fixes
- Support `\let` via `macros` option
([#​3738](https://redirect.github.com/KaTeX/KaTeX/issues/3738 ))
([bdb0be2](bdb0be2017https://redirect.github.com/KaTeX/KaTeX/issues/3737 )
[#​3737](https://redirect.github.com/KaTeX/KaTeX/issues/3737 )
####
[0.16.5](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.4...v0.16.5 )
(2023-04-17)
##### Features
- \_\_defineFunction API exposing internal defineFunction
([#​3805](https://redirect.github.com/KaTeX/KaTeX/issues/3805 ))
([c7b1f84](c7b1f84b78https://redirect.github.com/KaTeX/KaTeX/issues/3756 )
####
[0.16.4](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.3...v0.16.4 )
(2022-12-07)
##### Bug Fixes
- space should prevent optional argument to \
([#​3746](https://redirect.github.com/KaTeX/KaTeX/issues/3746 ))
([a0deb34](a0deb3410fhttps://redirect.github.com/KaTeX/KaTeX/issues/3745 )
####
[0.16.3](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.2...v0.16.3 )
(2022-10-22)
##### Bug Fixes
- \hline after \cr
([#​3735](https://redirect.github.com/KaTeX/KaTeX/issues/3735 ))
([ebf6bf5](ebf6bf5b50https://redirect.github.com/KaTeX/KaTeX/issues/3734 )
####
[0.16.2](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.1...v0.16.2 )
(2022-08-29)
##### Bug Fixes
- **auto-render:** concatenate content of successive text nodes
([#​3422](https://redirect.github.com/KaTeX/KaTeX/issues/3422 ))
([4d3fdd8](4d3fdd8647https://redirect.github.com/KaTeX/KaTeX/issues/3505 ))
([176552a](176552a691https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.0...v0.16.1 )
(2022-08-28)
##### Bug Fixes
- Use SVGs for some stacked delims
([#​3686](https://redirect.github.com/KaTeX/KaTeX/issues/3686 ))
([8a65a2e](8a65a2e1fdhttps://redirect.github.com/material-extensions/vscode-material-icon-theme/blob/HEAD/CHANGELOG.md#v5350 )
[Compare
Source](https://redirect.github.com/material-extensions/vscode-material-icon-theme/compare/v5.34.0...v5.35.0 )
[compare
changes](https://redirect.github.com/material-extensions/vscode-material-icon-theme/compare/v5.34.0...v5.35.0 )
##### 🚀 Enhancements
- Add CAD file extensions to 3d icon mapping
([#​3436](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3436 ))
- Add tsdown icon
([#​3418](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3418 ))
- Add new icons for mrpack
([#​3439](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3439 ))
- Add support for vercel.ts icon (typed Vercel configuration)
([#​3441](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3441 ))
- Support jxl image file type
([#​3444](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3444 ))
- Add uiua file icon
([#​3408](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3408 ))
- Add folder associations for rust/cargo projects
([#​3447](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3447 ))
- **icon:** Add zed folder icon
([#​3442](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3442 ))
- **icon:** Add redis icon
([#​3450](https://redirect.github.com/material-extensions/vscode-material-icon-theme/pull/3450 ))
- Add more unit tests for writefile helper function
([9e4c98aa](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/9e4c98aa ))
- Include language IDs into the file icons
([c9a9d2ed](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/c9a9d2ed ))
- Update dependencies
([d7274c71](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/d7274c71 ))
##### 🩹 Fixes
- Add rootDir to tsconfig.declarations.json for TypeScript 6
([4f7f49e9](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/4f7f49e9 ))
- Correct typos in CONTRIBUTING.md
([4de4acf7](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/4de4acf7 ))
##### 💅 Refactors
- **core:** Rewrite toTitleCase for clarity and add tests
([33c0e614](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/33c0e614 ))
- Remove duplicate toTitleCase, consolidate imports
([e247951d](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/e247951d ))
##### 🏡 Chore
- Improve release process
([b959b483](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/b959b483 ))
##### ✅ Tests
- **core:** Add comprehensive tests for object helpers
([57f476c5](https://redirect.github.com/material-extensions/vscode-material-icon-theme/commit/57f476c5 ))
##### ❤️ Contributors
- Philipp Kief ([@​PKief](https://redirect.github.com/PKief ))
- Sayan Shankhari
([@​SayanShankhari](https://redirect.github.com/SayanShankhari ))
- Tymon Marek
([@​TymonMarek](https://redirect.github.com/TymonMarek ))
- Unteksi-ozar
([@​Unteksi-ozar](https://redirect.github.com/Unteksi-ozar ))
- 锐冰 SharpIce
([@​SharpIceX](https://redirect.github.com/SharpIceX ))
- El Mahdi Bennajah
([@​bennajah](https://redirect.github.com/bennajah ))
- Glitch714
([@​glitchplaysgames714](https://redirect.github.com/glitchplaysgames714 ))
- Andrin Haldner
([@​AHaldner](https://redirect.github.com/AHaldner ))
- Kaden Gruizenga ([@​kgruiz](https://redirect.github.com/kgruiz ))
</details>
<details>
<summary>pnpm/pnpm (pnpm)</summary>
###
[`v11.4.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1140 )
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.3.0...v11.4.0 )
##### Minor Changes
- Treat tarball-integrity mismatches against the lockfile as a hard
failure by default. Previously, `pnpm install` (non-frozen) would log
`ERR_PNPM_TARBALL_INTEGRITY`, silently re-resolve from the registry, and
overwrite the locked integrity — which meant a compromised registry,
proxy, or republished version could substitute attacker-controlled
content on a clean machine even though the project shipped a committed
lockfile.
`pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` and a hint
pointing at the new opt-in flag.
The only opt-in is **`pnpm install --update-checksums`** — narrowly
scoped to refreshing the locked integrity values from what the registry
currently serves. Mirrors yarn's flag of the same name. A warning still
prints when the bypass takes effect so the operation is auditable.
`--force` and `pnpm update` deliberately do **not** bypass the integrity
check. They are routine refresh operations; silently overwriting a
locked integrity in those flows would erase the protection a committed
lockfile is supposed to provide. `--frozen-lockfile` behavior is
unchanged. `--fix-lockfile` keeps its documented purpose (filling in
missing lockfile entries) and is also not a bypass.
- `pnpm runtime set <name> <version>` now saves the runtime to
`devEngines.runtime` by default instead of `engines.runtime`. Pass
`--save-prod` (or `-P`) to save it to `engines.runtime` instead
[#​11948](https://redirect.github.com/pnpm/pnpm/issues/11948 ).
##### Patch Changes
- Fix a credential disclosure issue where an unscoped `_authToken` (or
`_auth`, or `username` + `_password`, or `tokenHelper`) defined in one
source — `~/.npmrc`, `~/.config/pnpm/auth.ini`, a workspace `.npmrc`,
CLI flags, etc. — would be sent as an `Authorization` header to
whichever registry a different (potentially untrusted) source named. The
same fix extends to client TLS credentials (`cert`, `key`) so they
aren't presented to a registry their author didn't choose.
pnpm now rewrites each unscoped per-registry setting (`_authToken`,
`_auth`, `username`, `_password`, `tokenHelper`, `cert`, `key`) to its
URL-scoped form at load time, using the `registry=` value declared in
the same source (or the npmjs default registry if the source declares
none). A later layer overriding `registry=` therefore cannot pull an
unscoped credential along, because it is already pinned to the URL its
author intended. `ca`/`cafile` are intentionally not rescoped — they're
trust anchors, not credentials, and corporate MITM-proxy setups rely on
them applying globally.
Every rescope emits a deprecation warning telling the user where the
setting was pinned and how to write it directly. npm has rejected
unscoped credentials outright since `npm@9`, and pnpm intends to remove
support in a future major release. To target a specific registry, write
the setting URL-scoped (e.g. `//registry.example.com/:_authToken=...` or
`//registry.example.com/:cert=...`).
`@pnpm/network.auth-header`: removed the `defaultRegistry` parameter
from `createGetAuthHeaderByURI` and `getAuthHeadersFromCreds`. Now that
credentials are URL-scoped at load time, the merged `configByUri` never
contains the empty-string "default registry" placeholder slot, so
re-keying it onto the merged default registry is no longer needed.
- Fix `pnpm deploy` crashing with `ENOENT: ... lstat
'<deployDir>/node_modules'` when `configDependencies` declares pacquet
(`pacquet` or `@pnpm/pacquet`). The deploy directory never installs
config dependencies, so the install engine they designate isn't on disk
to invoke; the nested install now skips them.
- Reject git resolutions whose `commit` field is not a 40-character
hexadecimal SHA before invoking `git`. A malicious lockfile could
otherwise smuggle a value such as `--upload-pack=<command>` through `git
fetch` / `git checkout`, which on SSH or local-file transports executes
the supplied command.
- Limit concurrent project manifest reads while listing large workspaces
to avoid `EMFILE` errors.
- Reject patch files whose `diff --git` headers reference paths outside
the patched package directory. Previously a malicious `.patch` file
added via a pull request could write, delete, or rename arbitrary files
reachable by the user running `pnpm install`.
- Improve the log message that pnpm prints after auto-adding entries to
`minimumReleaseAgeExclude` when `minimumReleaseAge` is set without
`minimumReleaseAgeStrict`. The message previously referred to the
internal "loose mode" terminology, which wasn't searchable in the docs;
it now tells the user to set `minimumReleaseAgeStrict` to `true` if they
want these updates gated behind a prompt instead
[#​11747](https://redirect.github.com/pnpm/pnpm/issues/11747 ).
- Reject dependency aliases that contain path-traversal segments (such
as `@x/../../../../../.git/hooks`) when reading them from a package
manifest or symlinking them into `node_modules`. A malicious registry
package could otherwise use a transitive dependency key to make `pnpm
install` create symlinks at attacker-chosen paths outside the intended
`node_modules` directory.
- Reject `pnpm-lock.yaml` entries whose remote tarball `resolution:`
block is missing the `integrity` field. Previously the worker that
extracts a downloaded tarball skipped hash verification when no
integrity was supplied and minted a fresh one from the unverified bytes,
so an attacker who could both alter the lockfile (e.g. via a pull
request that strips `integrity:`) and serve modified content at the
referenced tarball URL could install a tampered package without any
error — including under `--frozen-lockfile`. pnpm now fails closed at
lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Git-hosted
tarballs (`gitHosted: true` or a URL on codeload.github.com /
bitbucket.org / gitlab.com) and `file:` tarballs are exempt — the commit
SHA in a git-host URL and the user-controlled local path already anchor
the bytes.
- Validate `devEngines.runtime` and `engines.runtime` version ranges for
`node`, `deno`, and `bun` when `onFail` is set to `error` or `warn`.
Previously these settings only had an effect with `onFail: 'download'` —
the `error` and `warn` modes silently did nothing
[#​11818](https://redirect.github.com/pnpm/pnpm/issues/11818 ).
Violations now throw `ERR_PNPM_BAD_RUNTIME_VERSION`.
- Require provenance before treating trusted publisher metadata as the
strongest trust evidence.
###
[`v11.3.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1130 )
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.2...v11.3.0 )
##### Minor Changes
- Added `pnpm stage` with `publish`, `list`, `view`, `approve`,
`reject`, and `download` subcommands for npm staged publishing.
- Added a new setting `trustLockfile`. When `true`, `pnpm install` skips
the supply-chain verification pass that re-applies `minimumReleaseAge` /
`trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The
install treats the lockfile as already-trusted — useful for
closed-source projects where every commit comes from a trusted author.
Defaults to `false`; verification stays on by default. Set in
`pnpm-workspace.yaml`.
Also cut the memory footprint of the verification pass itself: the
per-(registry, name) trust-meta cache previously retained the full
packument — dependency graphs, scripts, README, and per-version
manifests — for the entire install. On large workspaces (`~4k` lockfile
entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled)
this could OOM CI runners with a 2GB heap cap. The cache now stores only
the fields the trust check actually reads (`time`, per-version
`_npmUser.trustedPublisher`, `dist.attestations.provenance`). The
abbreviated-metadata cache is similarly projected to just the
package-level `modified` field and the set of currently-listed version
names. Fixes
[#​11860](https://redirect.github.com/pnpm/pnpm/issues/11860 ).
- Implemented `pnpm pkg` command natively, following `npm pkg`
standards.
- Implemented `pnpm repo` command natively, following `npm repo`
standards.
- Implemented `pnpm set-script` (alias `ss`) natively. Adds or updates
an entry in the `scripts` field of the project manifest, supporting
`package.json`, `package.json5`, and `package.yaml` formats.
- Add a `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm
publish`. When enabled, the original `packageManager` field and publish
lifecycle scripts are kept in the packed/published manifest instead of
being stripped. The pnpm-specific `pnpm` field continues to be omitted.
##### Patch Changes
- Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND`
when the installed package's CAS slot is missing its `package.json`.
Observed in the wild for `pnpm dlx node@runtime:<version>` when the GVS
slot was populated without the synthesized manifest runtime archives
need (they don't ship a `package.json` of their own, so the synthesized
one is the only way it gets there; an existing slot from an earlier code
path that skipped the synthesis stays incomplete). The bin link itself
is wired up from the resolution and remains valid, so `dlx` now falls
back to the scopeless package name when the slot's manifest is
unreadable — for single-bin packages (the dlx common case, including
every `runtime:` spec) this matches what `manifest.bin` would have
named. Multi-bin packages already require `--package=<spec> <bin>` to
disambiguate and don't enter this code path.
- Fixed non-determinism in `pnpm dedupe` and `pnpm install` when a
dependency graph contains packages with transitive peer dependencies on
each other (e.g. `@aws-sdk/client-sts` and `@aws-sdk/client-sso-oidc`)
and `auto-install-peers` is enabled. The lockfile no longer flips
between two equally-valid forms across consecutive runs. The root cause
was that `resolveDependencies` pushed onto its `pkgAddresses` /
`postponedResolutionsQueue` arrays from inside `Promise.all`-spawned
callbacks, so completion-order timing leaked into the array order and
downstream cyclic-peer suffix assignment. Fixes
[#​8155](https://redirect.github.com/pnpm/pnpm/issues/8155 ).
- Fixed a regression introduced by
[#​11711](https://redirect.github.com/pnpm/pnpm/pull/11711 ) where
`pnpm add <github-shorthand>` (and any other wanted-dependency whose
alias can't be parsed from the user-supplied spec, e.g. tarball URLs or
`pnpm/test-git-fetch#sha`) was silently dropped from the manifest update
and from `pendingBuilds`. The alias-keyed lookup added in that PR
couldn't find a `wantedDependency` whose `alias` was `undefined` at
parse time but resolved to a package name only after fetching, so the
entry never made it into `specsToUpsert`. Restored the original
index-based pairing between `directDependencies` and
`wantedDependencies`; the catalog-protocol preservation that PR was
originally fixing is unaffected because it's driven by
`rdd.catalogLookup.userSpecifiedBareSpecifier`, not by the lookup. Fixes
the three `rebuilds dependencies` / `rebuilds specific dependencies` /
`rebuild with pending option` failures in
`building/commands/test/build/index.ts`.
- Fixed `pnpm add --config` leaving orphan entries in
`pnpm-lock.env.yaml` (the optional subdependencies of the previously
resolved version of the updated config dependency).
###
[`v11.2.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1122 )
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.1...v11.2.2 )
##### Patch Changes
- When the install engine is delegated to pacquet via
`configDependencies`, the user's CLI flags passed to `pnpm install`
(e.g. `--no-runtime`, `--prod`, `--dev`, `--no-optional`,
`--node-linker`, `--cpu`/`--os`/`--libc`, `--offline`,
`--prefer-offline`) are now forwarded to pacquet's `install` subcommand
verbatim. Previously pacquet was invoked with a fixed argument list, so
flags like `--no-runtime` were silently dropped. Flag forwarding is
gated on the command being `install`/`i`; `add`, `update`, and `dedupe`
still don't forward (their flag surface doesn't line up with pacquet's
`install`).
- Fixed `pnpm up` (and `pnpm add` / `pnpm remove`) failing with
`pacquet_package_manager::outdated_lockfile` when pacquet is declared in
`configDependencies`. pnpm now passes `--ignore-manifest-check` to
pacquet so its `--frozen-lockfile` check doesn't fire against the
(pre-mutation) `package.json` pnpm hasn't written yet
[#​11797](https://redirect.github.com/pnpm/pnpm/issues/11797 ).
Requires a pacquet release that supports the flag — bump
`PACQUET_VERSION` in the e2e tests once it ships.
</details>
<details>
<summary>silverwind/rolldown-license-plugin
(rolldown-license-plugin)</summary>
###
[`v3.0.8`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.8 )
[Compare
Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.7...3.0.8 )
- update deps (silverwind)
- swap path.join for template concat in I/O hot paths (silverwind)
- simplify license sort and allow-branch control flow (silverwind)
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(typescript-eslint)</summary>
###
[`v8.60.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8600-2026-05-25 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.4...v8.60.0 )
This was a version bump only for typescript-eslint to align it with
other projects, there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.0 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>silverwind/updates (updates)</summary>
###
[`v17.17.2`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.2 )
[Compare
Source](https://redirect.github.com/silverwind/updates/compare/17.17.1...17.17.2 )
- Read github env tokens lazily instead of at import (silverwind)
###
[`v17.17.1`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.1 )
[Compare
Source](https://redirect.github.com/silverwind/updates/compare/17.17.0...17.17.1 )
- Scope GitHub token fallback to GitHub hosts only (silverwind)
###
[`v17.17.0`](https://redirect.github.com/silverwind/updates/releases/tag/17.17.0 )
[Compare
Source](https://redirect.github.com/silverwind/updates/compare/17.16.13...17.17.0 )
- update deps (silverwind)
- Add per-package `overrides` config option
([#​140](https://redirect.github.com/silverwind/updates/issues/140 ))
(silverwind)
- fix three bugs in range/tag handling (silverwind)
</details>
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v8.0.14`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8014-2026-05-21-small )
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.13...v8.0.14 )
##### Features
- update rolldown to 1.0.2
([#​22484](https://redirect.github.com/vitejs/vite/issues/22484 ))
([96efc88](96efc88570https://redirect.github.com/vitejs/vite/issues/22471 ))
([98b8163](98b8163213https://redirect.github.com/vitejs/vite/issues/22450 ))
([e8e9a34](e8e9a34dcfhttps://redirect.github.com/vitejs/vite/issues/22480 ))
([5d94d1b](5d94d1bffdhttps://redirect.github.com/vitejs/vite/issues/22342 ))
([b3132da](b3132daceahttps://redirect.github.com/vitejs/vite/issues/22470 ))
([7cb728e](7cb728eb622c69495f25https://redirect.github.com/vitejs/vite/issues/22310 ))
([0ae2844](0ae2844ab6https://redirect.github.com/vitejs/vite/issues/22449 ))
([ebf39a0](ebf39a0432https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3535-2026-05-27 )
[Compare
Source](https://redirect.github.com/vuejs/core/compare/v3.5.34...v3.5.35 )
##### Bug Fixes
- **compiler-core:** avoid double processing v-for keys with v-memo
([#​14861](https://redirect.github.com/vuejs/core/issues/14861 ))
([34a0ded](34a0ded4d2https://redirect.github.com/vuejs/core/issues/14859 )
- **compiler-sfc:** resolve top-level exports from files registered as
global types
([#​14805](https://redirect.github.com/vuejs/core/issues/14805 ))
([3d077f2](3d077f26e3nuxt/nuxt#33694 ](https://redirect.github.com/nuxt/nuxt/issues/33694 )
- **runtime-core:** avoid repeated hydration mismatch checks
([#​14857](https://redirect.github.com/vuejs/core/issues/14857 ))
([170fc95](170fc95eb6https://redirect.github.com/vuejs/core/issues/14855 )
- **runtime-core:** skip idle persisted transition hooks in keep-alive
moves
([#​14865](https://redirect.github.com/vuejs/core/issues/14865 ))
([80fc139](80fc139f90https://redirect.github.com/vuejs/core/issues/14031 )
- **server-renderer:** propagate sync errors from `ssrRenderSuspense`
([#​14804](https://redirect.github.com/vuejs/core/issues/14804 ))
([4760997](47609975e2nuxt/nuxt#28162 ](https://redirect.github.com/nuxt/nuxt/issues/28162 )
- **teleport:** skip child unmount when pending mount discarded
([#​14876](https://redirect.github.com/vuejs/core/issues/14876 ))
([#​14877](https://redirect.github.com/vuejs/core/issues/14877 ))
([584beb1](584beb1262https://redirect.github.com/vuejs/core/issues/14860 ))
([5734fe9](5734fe97f6https://redirect.github.com/vuejs/core/issues/14828 ))
([bb18dc8](bb18dc8e56https://redirect.github.com/vuejs/core/issues/14821 ))
([1b7a2cc](1b7a2cc15chttps://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#332-2026-05-25 )
[Compare
Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.1...v3.3.2 )
##### language-core
- **feat:** preserve literal types for inline `v-for` sources
([#​6067](https://redirect.github.com/vuejs/language-tools/issues/6067 ))
- Thanks to [@​kkesidis](https://redirect.github.com/kkesidis )!
- **fix:** align `v-bind` shorthand identifier skipping with
interpolation - Thanks to
[@​KazariEX](https://redirect.github.com/KazariEX )!
##### vscode
- **feat:** transform tsserver content
([#​6062](https://redirect.github.com/vuejs/language-tools/issues/6062 ))
- Thanks to [@​KazariEX](https://redirect.github.com/KazariEX )!
- **fix:** do not mark trailing slash in capitalized self-closing tags
as invalid
([#​6065](https://redirect.github.com/vuejs/language-tools/issues/6065 ))
- Thanks to [@​suisanka](https://redirect.github.com/suisanka )!
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: silverwind <me@silverwind.io >
2026-06-02 07:18:20 +02:00
Giteabot
ab2a72fe04
fix(deps): update module github.com/google/go-github/v87 to v88 ( #37971 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
|
[github.com/google/go-github/v87](https://redirect.github.com/google/go-github )
| `v87.0.0` → `v88.0.0` |
|
|
---
### Release Notes
<details>
<summary>google/go-github (github.com/google/go-github/v87)</summary>
###
[`v88.0.0`](https://redirect.github.com/google/go-github/releases/tag/v88.0.0 )
[Compare
Source](https://redirect.github.com/google/go-github/compare/v87.0.0...v88.0.0 )
This release contains the following breaking API changes:
- refactor!: Change app installation `Find*` methods to `Get*`
([#​4243](https://redirect.github.com/google/go-github/issues/4243 ))
BREAKING CHANGE: App installation methods are renamed from `Find*` to
`Get*`.
...and the following additional changes:
- chore: Bump version of go-github to v88.0.0
([#​4245](https://redirect.github.com/google/go-github/issues/4245 ))
- chore: Update `openapi_operations.yaml`
([#​4242](https://redirect.github.com/google/go-github/issues/4242 ))
- feat: Add support for setting client URLs
([#​4240](https://redirect.github.com/google/go-github/issues/4240 ))
- refactor: Add constants for API versions
([#​4236](https://redirect.github.com/google/go-github/issues/4236 ))
- docs: Formatting and punctuation changes
([#​4235](https://redirect.github.com/google/go-github/issues/4235 ))
- feat: Add `GetParentIssue` for sub-issues
([#​4232](https://redirect.github.com/google/go-github/issues/4232 ))
- chore: Bump go-github from v86 to v87 in /scrape
([#​4234](https://redirect.github.com/google/go-github/issues/4234 ))
</details>
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-06-01 23:32:32 +00:00
Giteabot
9aa4e897e7
chore(deps): update tool dependencies ( #37965 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [github.com/air-verse/air](https://redirect.github.com/air-verse/air )
| `v1.65.2` → `v1.65.3` |
|
|
|
[github.com/editorconfig-checker/editorconfig-checker/v3](https://redirect.github.com/editorconfig-checker/editorconfig-checker )
| `v3.6.1` → `v3.7.0` |
|
|
---
### Release Notes
<details>
<summary>air-verse/air (github.com/air-verse/air)</summary>
###
[`v1.65.3`](https://redirect.github.com/air-verse/air/releases/tag/v1.65.3 )
[Compare
Source](https://redirect.github.com/air-verse/air/compare/v1.65.2...v1.65.3 )
##### What's Changed
- Extend stale workflow timeout by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​903](https://redirect.github.com/air-verse/air/pull/903 )
- Increase stale workflow operation limit by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​904](https://redirect.github.com/air-verse/air/pull/904 )
- Add review guidelines for coding agents by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​905](https://redirect.github.com/air-verse/air/pull/905 )
- Add configurable color output mode by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​907](https://redirect.github.com/air-verse/air/pull/907 )
- fix: rewatch files after atomic saves by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​908](https://redirect.github.com/air-verse/air/pull/908 )
- follow-up: fix watcher recovery after atomic saves by
[@​xiantang](https://redirect.github.com/xiantang ) in
[#​909](https://redirect.github.com/air-verse/air/pull/909 )
- Accept .config/air.toml by
[@​bersace](https://redirect.github.com/bersace ) in
[#​716](https://redirect.github.com/air-verse/air/pull/716 )
- fix: keep built binary after app shutdown by
[@​mariusvniekerk](https://redirect.github.com/mariusvniekerk ) in
[#​911](https://redirect.github.com/air-verse/air/pull/911 )
##### New Contributors
- [@​bersace](https://redirect.github.com/bersace ) made their
first contribution in
[#​716](https://redirect.github.com/air-verse/air/pull/716 )
**Full Changelog**:
<https://github.com/air-verse/air/compare/v1.65.2...v1.65.3 >
</details>
<details>
<summary>editorconfig-checker/editorconfig-checker
(github.com/editorconfig-checker/editorconfig-checker/v3)</summary>
###
[`v3.7.0`](https://redirect.github.com/editorconfig-checker/editorconfig-checker/releases/tag/v3.7.0 )
[Compare
Source](https://redirect.github.com/editorconfig-checker/editorconfig-checker/compare/v3.6.1...v3.7.0 )
##### Features
- **files:** expand glob patterns in passed-file args
([#​190](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/190 ))
([#​558](https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/558 ))
([4c0f326](4c0f326cfahttps://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/557 ))
([9f4014c](9f4014ce09https://redirect.github.com/editorconfig-checker/editorconfig-checker/issues/550 ))
([f47b30c](f47b30c967https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
2026-06-01 21:05:09 +00:00
wxiaoguang
85f563da6c
chore: various frontend changes ( #37973 )
2026-06-01 20:38:23 +00:00
Lunny Xiao
689ace1ce2
feat(orgs): Add search bar for organization members tab page ( #37347 )
...
Resolve #37072
<img width="1312" height="186" alt="image"
src="https://github.com/user-attachments/assets/3ca9eddb-9230-4b0d-992f-5b19e475e267 "
/>
---------
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
Co-authored-by: bircni <bircni@icloud.com >
2026-06-01 20:16:04 +00:00
TheFox0x7
9155a81b9d
docs: mark openapi3 as autogenerated in attributes ( #37963 )
...
Change from Co-Authored by trailer to Assisted-By and explicitly forbid
LLMs from signing off on commits.
---------
Signed-off-by: bircni <bircni@icloud.com >
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: bircni <bircni@icloud.com >
Co-authored-by: silverwind <me@silverwind.io >
2026-06-01 16:22:17 +00:00
GiteaBot
5c084c883c
[skip ci] Updated translations via Crowdin
2026-06-01 01:23:43 +00:00
silverwind
a39b2775ed
test: speed up two tests ( #37905 )
...
Two test-only changes that cut the `-race` backend unit job's critical
path, with no behavior change.
- **`modules/auth/password/hash`** — `TestHashing`/`TestVectors`
exercised the CPU-bound KDFs (scrypt `N=65536`, pbkdf2, bcrypt, argon2)
serially on one core. Marking the subtests `t.Parallel()` fans them
across cores. The hasher registry they read is only mutated by the
non-parallel `Test_registerHasher`, so this is race-free.
- **`services/release`** — `TestRelease_Update`/`TestRelease_createTag`
slept `6x time.Sleep(2s)` only to cross the 1-second `CreatedUnix`
boundary. Replaced with an advancing mocked clock (`timeutil.MockSet`),
making the timestamp assertions deterministic and removing the real
waits.
---
This PR was written with the help of Claude Opus 4.8
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
2026-05-31 03:33:13 +00:00
silverwind
d0eba5e961
chore(deps): update urfave/cli/v3 to v3.9.0 ( #37863 )
...
Updates `github.com/urfave/cli/v3` to
[v3.9.0](https://github.com/urfave/cli/releases/tag/v3.9.0 ) and removes
the renovate pin now that
[urfave/cli#2319 ](https://github.com/urfave/cli/pull/2319 ) (the `-c`
help flag parsing fix) is merged.
v3.9.0 prepends the default command name to the root command's args,
which broke the old `Root().Args()` check in `isValidDefaultSubCommand`.
It now uses the command's own `Args()`.
Behavior change: `./gitea web <extra-positional-arg>` now errors with
`unknown command` instead of starting the web server and ignoring the
trailing arg. `web` takes no positional args, so this is stricter (and
arguably more correct) input handling. The intended `./gitea bad-cmd`
rejection is unchanged.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
Co-authored-by: Nicolas <bircni@icloud.com >
2026-05-30 20:56:16 +00:00
Lunny Xiao
4e5f43896e
fix(auth): ignore stale OIDC external login links to organizations ( #37875 )
...
## Summary
This fixes an OIDC sign-in edge case where a stale `external_login_user`
record can still point to an organization or a deleted user.
In that situation, Gitea may keep resolving the external login to the
wrong account during sign-in. For affected instances, this matches the
behavior reported in #36439 and #37812 , where a user signing in with
OIDC/Entra ID could appear as an organization, or hit a 404 after that
organization was removed.
## What changed
- validate the user resolved from `external_login_user` during
OAuth2/OIDC login
- ignore stale links when the linked user no longer exists
- ignore stale links when the linked user is not an individual user
- remove the stale external login row so the sign-in flow can relink the
external account to the correct user
## Related
- Fixes #37812
- Related to #36439
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-30 20:37:09 +00:00
silverwind
28096162fa
chore(css): remove unneeded CSS vendor prefixes ( #37903 )
...
Removes redundant/obsolete WebKit prefixes:
- `-webkit-mask-*` — duplicate the unprefixed `mask-*` siblings already
present; every supported browser handles unprefixed CSS Masking
longhands.
- `-webkit-overflow-scrolling: touch` — a no-op outside iOS Safari <13.
Browser floor (all support unprefixed `mask`): Chrome 120+, Safari
15.4+, Firefox 53+, and PaleMoon/Goanna (verified: unprefixed `mask`
longhands implemented unconditionally in UXP).
---
This PR was written with the help of Claude Opus 4.8
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-30 20:18:10 +00:00
silverwind
82cf75b68a
enhance(markup): improve issue title rendering ( #37908 )
2026-05-30 18:55:26 +02:00
Zettat123
0359746abe
feat(actions)!: improve support for reusable workflows ( #37478 )
...
## Summary
This PR improves reusable workflow support for Gitea Actions. The
parsing of the called workflow now happens on Gitea side, not on the
runner. When the caller becomes ready, Gitea fetches the called workflow
source, parses it, and inserts each child job into the database as a
`ActionRunJob` linked to the caller via `ParentCallJobID`. As a result,
every callee job is dispatched as its own task and its logs surface as
an independent job entry in the UI, rather than being inlined into the
caller's "Set up job" step.
This PR supports two kinds of `uses` :
- same-repo call: `uses: ./.gitea/workflows/foo.yaml`
- cross-repo call: `uses: OWNER/REPO/.gitea/workflows/foo.yaml@REF`
## **⚠️ BREAKING ⚠️ **
External reusable workflows (`uses:
https://other-gitea-instance/OWNER/REPO/.gitea/workflows/test.yaml@REF `)
are no longer supported. To keep using them, clone the repositories to
the local instance.
## Main changes
### Execution model
- Each caller job carries `IsReusableCaller=true` and won't be fetched
by runners.
- `ParentCallJobID` can link a called job to its caller.
- Caller status is derived from its direct children.
### Workflow syntax
- `jobparser` now supports parsing `on: workflow_call` trigger with
`inputs:`, `outputs:`, and `secrets:` declarations.
- **Max nesting depth**: capped at `MaxReusableCallLevels = 9`, which
means a top-level caller may have at most 9 nested callers below it.
- **Cycle prevention**: at expansion time, `checkCallerChain` walks the
caller's ancestor chain via `ParentCallJobID` and rejects if the same
`uses:` string appears anywhere upstream (`reusable workflow call cycle
detected`). This catches both direct (`A -> A`) and indirect (`A -> B ->
A`) cycles.
### Cross-repo access
- To share reusable workflows from private repos, use `Collaborative
Owners` introduced by #32562
### Rerun semantics
- `expandRerunJobIDs` partitions the latest attempt's jobs into:
- a **rerun set**: jobs being rerun + downstream siblings within the
same scope.
- an **ancestor set**: reusable callers whose only *some* descendants
are being rerun (the caller itself is not).
- Cloning behavior for callers in `execRerunPlan`:
- **Caller is fully rerun** (caller's `AttemptJobID` in `rerunSet`):
none of its descendants are cloned. The caller is cloned with
`IsCallerExpanded=false`, and re-expansion (which reinserts the children
fresh) happens later when the resolver brings the caller to `Waiting`
again.
- **Caller is in ancestor set** (only some descendants rerun): the
caller is pass-through (`Status` will be updated by its fresh children).
Its non-rerun descendants are also pass-through clones (point
`SourceTaskID` at the original task). Their `ParentCallJobID` is
remapped to the new attempt's caller row.
### UI
- Job list in `RepoActionView.vue` is now tree-shaped: callers indent
their children. Callers default to collapsed.
- New caller detail page using `WorkflowGraph` to show direct children
only; the run summary's `WorkflowGraph` shows top-level callers and
their immediate descendants.
### Known trade-offs
- **Caller expansion runs inside the enclosing write transaction.**
`expandReusableWorkflowCaller` performs a git read of the called
workflow while holding the row locks that update the caller and insert
its children. This is intentional: the caller-row update and child-row
inserts must commit atomically. None of the call sites is hot (each
caller is expanded once per attempt), so the trade-off is acceptable.
- **A malformed `if:` expression on a job leaves it `Blocked`
silently.** `evaluateJobIf` now runs server-side as part of resolver
passes; deterministic expression errors (typos, undefined context
fields) are logged but do not surface in the UI. This is the same
behavior the resolver already had for concurrency-expression errors.
Distinguishing transient DB errors from user-authored expression errors
and writing the latter back as `StatusFailure` is a follow-up.
#### Screenshots
<img width="1600" alt="image"
src="https://github.com/user-attachments/assets/bfaa9b7a-07e9-4127-8de9-a81f86e82828 "
/>
<img width="1600" alt="image"
src="https://github.com/user-attachments/assets/8af109b3-ef28-4b53-aaad-d4632b923224 "
/>
## References
-
https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
-
https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations
---
Replace #36388
---------
Signed-off-by: Zettat123 <zettat123@gmail.com >
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-30 08:31:14 +02:00
silverwind
2960d6889c
ci: stabilize Elasticsearch tests ( #37906 )
...
At a 512m heap the CI Elasticsearch GC-thrashes under the jobs' memory
pressure and goes unresponsive, flaking `test-unit` (ES indexer tests
time out) and `test-mysql` (the ES-backed issue indexer blocks the
per-test queue flush). Raise the heap to 1g and disable ML + the startup
GeoIP download.
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-30 01:08:57 +00:00
Nicolas
a342206a21
fix(locales): Replace hardcoded strings ( #37788 )
...
The Workflow Dependencies graph in the Actions run details view had
hard-coded English strings.
Also in projects view and contributors view I found some hard-coded
strings.
The other items in the issue #37787 (Summary / All jobs / Run Details /
Workflow file / Triggered via / Total duration) were already wired
through ctx.Locale.Tr; their translations just need to land in the
non-English locale_*.json files via the translation pipeline.
Fixes #37787
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-29 23:50:55 +00:00
Giteabot
d07a42e777
fix(deps): update module golang.org/x/image to v0.41.0 [security] ( #37904 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [golang.org/x/image](https://pkg.go.dev/golang.org/x/image ) |
[`v0.40.0` →
`v0.41.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.40.0...refs/tags/v0.41.0 )
|
|
|
---
### Panic when reading out of bound palette index in
golang.org/x/image/bmp
[CVE-2026-42500](https://nvd.nist.gov/vuln/detail/CVE-2026-42500 ) /
[GO-2026-5031](https://pkg.go.dev/vuln/GO-2026-5031 )
<details>
<summary>More information</summary>
#### Details
Decoding a paletted BMP file with an out-of-range palette index results
in a panic when accessing pixels in the invalid image.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79576 ](https://go.dev/issue/79576 )
-
[https://groups.google.com/g/golang-announce/c/uhYX90BlBvI ](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI )
- [https://go.dev/cl/781500 ](https://go.dev/cl/781500 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5031 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### Excessive resource consumption in PackBits decompression in
golang.org/x/image/tiff
[CVE-2026-46599](https://nvd.nist.gov/vuln/detail/CVE-2026-46599 ) /
[GO-2026-5032](https://pkg.go.dev/vuln/GO-2026-5032 )
<details>
<summary>More information</summary>
#### Details
The TIFF decoder does not place a limit on the size of
PackBits-compressed data. A maliciously-crafted image can exploit this
to cause a small image (both in terms of pixel width/height and encoded
size) to make the decoder decode large amounts of compressed data.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79577 ](https://go.dev/issue/79577 )
- [https://go.dev/cl/759960 ](https://go.dev/cl/759960 )
-
[https://groups.google.com/g/golang-announce/c/uhYX90BlBvI ](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI )
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5032 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-05-30 00:04:40 +02:00
Nicolas
dd59c68486
feat(actions): bulk delete, disable and enable runners in admin UI ( #37869 )
...
Adds bulk actions on the site-admin runner list
(`/-/admin/actions/runners`). Site admins can now select multiple
runners and **Delete**, **Disable**, or **Enable** them in one go
instead of clicking through each runner's edit page.
Scope is intentionally limited to the admin page. The user, org, and
repo runner pages keep their existing per-row UX — the shared list
template gates the bulk UI behind an `AllowBulkActions` flag set only by
the admin handler.
## Screenshots
<img width="1582" height="353"
src="https://github.com/user-attachments/assets/2125661f-aac0-4168-990a-97995a26abd2 "
/>
---------
Signed-off-by: Nicolas <bircni@icloud.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-05-29 22:16:47 +02:00
silverwind
dafc9e127a
chore: update giteabot to v1.0.3 ( #37896 )
...
Bump the pinned `giteabot` action to the
[`v1.0.3`](https://github.com/go-gitea/giteabot/releases/tag/v1.0.3 )
release in both `giteabot.yml` and `giteabot-backport.yml`. v1.0.3 moves
label/state queries off the search API on top of the existing retry
logic.
---
This PR was written with the help of Claude Opus 4.8
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-29 10:10:51 +00:00
Zettat123
949119c1dd
fix(actions): exclude workflow_call from workflow trigger detection ( #37894 )
...
Gitea now only allows `workflow_dispatch.inputs`. If a workflow contains
`workflow_call.inputs`, the workflow cannot be triggered, even though
the `on:` section contains other trigger events.
428ee9fcce/modules/actions/jobparser/model.go (L402-L405)#37478 for backport
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-05-29 04:53:14 +00:00
Nicolas
da3e192eaf
fix(actions): keep action run title clickable when commit subject is a URL ( #37867 )
...
- When a commit subject is a bare URL, `linkProcessor` wrapped it in its
own `<a>` to that URL. Because HTML cannot nest anchors, the wrapping
default link (the action run / commit link) was lost and the action
title became unclickable — clicking it sent the user to the URL from the
commit message instead of the action log.
- Drop `linkProcessor` from `PostProcessCommitMessageSubject` so the
whole subject stays wrapped in the default link. URLs in subjects now
render as text inside that link; URLs in commit bodies are unaffected.
Fixes #37865
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-05-29 06:34:37 +02:00
Pascal Zimmermann
ea723fe482
enhance: Migrate remaining gopkg.in/yaml.v3 usages to go.yaml.in/yaml/v4 ( #37866 )
...
### Description
Replaces all remaining direct `gopkg.in/yaml.v3` imports with
`go.yaml.in/yaml/v4` across models, modules, routers, services, and
integration tests. `gopkg.in/yaml.v3` moves from a direct to an indirect
dependency in `go.mod`.
#### API compatibility
The yaml.Node type, node.Kind/node.Content traversal style
(modules/markup/markdown/convertyaml.go), and the
UnmarshalYAML(*yaml.Node) interface signature
(modules/optional/serialization.go) are all preserved in v4 — no
call-site changes were required beyond the import path.
**Related:**
- https://github.com/go-gitea/gitea/pull/36564#issuecomment-4526536805
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com >
2026-05-29 01:12:11 +00:00
Jorge Ortiz
90d443b46c
fix(actions): reject workflow_dispatch for workflows without that trigger ( #37660 )
...
## Summary
Fixes #37528
This PR makes the workflow dispatch API reject workflows that do not
declare `workflow_dispatch`. Previously, `POST
/repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches` could
create an `ActionRun` for a workflow that only declared another event
such as `push`.
The service now validates that the target workflow has a
`workflow_dispatch` trigger before inserting the run. The API maps that
validation failure to `422 Unprocessable Entity`, matching existing
validation failures in this handler.
The regression test creates a push-only workflow, dispatches it through
the public API, asserts the `workflow_dispatch` validation message, and
verifies that no run was inserted.
## Disclosure
Developed with assistance from OpenAI Codex.
---------
Co-authored-by: Nicolas <bircni@icloud.com >
2026-05-28 16:40:43 -07:00
bircni