af0c43b2052c619737111cef222551a91563b449
2597 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
af0c43b205 | Address operator QoL review feedback | ||
|
|
fb13e1f6a9 | Hide archived routines from routines page | ||
|
|
5f481d50f1 |
Allow inline video attachment previews
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
5d91c1bb29 | Fix document comment panel layering | ||
|
|
ed941ec089 |
Default routines view by project
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
39e0fba65f | Filter issues by plan document | ||
|
|
6ac1a2e91f |
Add workspace runtime kill script
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
96d4079324 | Render other answers as text links | ||
|
|
4afe5ab7cb | Add other answers to issue questions | ||
|
|
f360fcbbb3 |
Expire confirmations after user comments
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
6c46f11f89 |
Preserve experimental settings with retired flags
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
78dc3625ac |
Merge pull request #7527 from paperclipai/PAP-10323-add-last30days-to-optional-skills-catalog
[codex] Add referenced last30days catalog entry |
||
|
|
0cca059705 |
Address catalog review cleanup
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
bee2b25f5d | Add referenced last30days catalog entry | ||
|
|
1227bb8ead |
Improve OpenAPI spec coverage and auth metadata (#4579)
## Thinking Path
> - Paperclip orchestrates AI agents for zero-human companies
> - Its REST API is the control-plane contract for the board UI, agents,
plugins, and external integrations
> - This branch adds `/api/openapi.json`, which makes the generated
OpenAPI document part of that contract instead of an internal
implementation detail
> - Once the spec is published, it has to match the mounted Express
routes, auth model, and real HTTP behavior closely enough for client
generation and review
> - The existing spec drifted from the live server: it missed mounted
routes, documented a few nonexistent ones, omitted auth semantics, and
normalized response codes too aggressively
> - This pull request makes the generated spec track the real API
surface, exposes security requirements, and adds regression coverage so
drift is caught automatically
> - The benefit is that Paperclip's published API description becomes
trustworthy for integrators, SDK generation, and review without changing
runtime auth enforcement
## What Changed
- Added the OpenAPI endpoint wiring under `server/src/routes/openapi.ts`
so `/api/openapi.json` is generated from the current route-backed
OpenAPI builder.
- Replaced generic request/response bodies with typed schemas where
available so the generated document carries useful structure instead of
opaque blobs.
- Expanded the generated spec to cover the mounted route set, including
access/member flows, CLI auth challenge routes, invite acceptance, issue
thread interaction routes, adapter environment testing, budget policy
routes, resource memberships, secret provider routes, cloud upstream
routes, and `/api/openapi.json` itself.
- Corrected documented path mismatches such as `skills/scan` vs
`skills/scan-projects`, and other route-name/path drift.
- Added security schemes plus operation-level security metadata so
public, authenticated, board-only, and instance-admin endpoints are
distinguishable in the generated contract.
- Fixed reviewed response-code mismatches for create/accept flows and
authz failures, including `201`, `202`, and `403` cases that were
previously flattened away.
- Added `server/src/__tests__/openapi-routes.test.ts` to diff the
generated spec against mounted server routes and assert key
auth/response invariants.
- Hardened the route-drift test after review feedback: it now handles
single/double/template route literals, fails on unlisted route files
that declare router methods, and filters OpenAPI path-item keys to HTTP
methods only.
## Verification
- `pnpm exec vitest run server/src/__tests__/openapi-routes.test.ts`
- `pnpm --filter @paperclipai/ui exec vitest run
src/pages/Inbox.test.tsx`
- `pnpm -r typecheck`
- `pnpm test:run`
- `pnpm build`
Manual notes:
- Confirmed the generated spec now matches the mounted route set in the
focused regression test.
- Confirmed `/api/plugins/install` is marked privileged in the generated
security metadata.
- Confirmed `POST /api/invites/{token}/accept` documents `202`.
- Addressed the Greptile route coverage comments and reran the focused
OpenAPI test, typecheck, and build successfully.
## Risks
- Medium-low risk. The main risk is ongoing spec drift if new routes are
added without updating the OpenAPI builder, but the regression test now
fails on unknown route files that declare router methods.
- The auth metadata is descriptive only; it does not change runtime
enforcement. If reviewers assume this PR hardens server auth behavior,
that would be an incorrect expectation.
- This change increases the amount of hand-maintained OpenAPI mapping in
`server/src/routes/openapi.ts`, so future API additions still need
discipline.
> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected. See `CONTRIBUTING.md`.
## Model Used
- OpenAI Codex, GPT-5-based coding agent in Codex desktop. Exact
internal model variant/version and context-window size are not exposed
in this environment. Tool-enabled coding workflow with terminal
execution, git, and GitHub integration.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots or confirmed screenshots are not applicable
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
|
bc0a076e13 |
fix(ui): stop linking foreign tracker keys as Paperclip issues (#7511)
Fixes #7514 — the prefix-validation piece of the #5456 auto-linker 404-storm umbrella. The remaining pieces (404 retry guard, word-boundary tightening, comment edit/soft-delete) stay open under #5456. Part of #5456. ## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - Agents and humans cross-reference work in markdown — issue descriptions, comments, documents — which the UI renders through a shared `MarkdownBody` > - That renderer auto-links any `IDENT-123`-shaped token to an internal `/issues/IDENT-123` link > - But foreign tracker keys share that exact shape: a Jira `TREE-604` (or any external `ORG-123`) mentioned in prose becomes a link to a Paperclip issue that does not exist — it 404s, and the renderer also fires a wasted issue-fetch for the bogus identifier > - The set of real issue prefixes is already in the browser: every company carries an `issuePrefix`, exposed via `CompanyContext` > - This PR gates bare-token auto-linking to known company prefixes, leaving explicit `issue://` / `/issues/` references and real markdown links untouched > - The benefit is no dead internal links from foreign keys, with no new query, cache, or server change — and zero regression when prefixes aren't yet known ## What Changed - **`ui/src/lib/issue-reference.ts`** — `parseIssueReferenceFromHref` takes an optional `knownPrefixes` set and rejects a bare `IDENT-123` token whose prefix isn't in it; threaded through `remarkLinkIssueReferences(options)` → tree rewrite → text and inline-code paths. An omitted/empty set keeps the legacy permissive behavior. Explicit `issue://` scheme and `/issues/` path forms are never gated. - **`ui/src/context/CompanyContext.tsx`** — adds `useOptionalCompany()`, a non-throwing variant of `useCompany()` (returns `null` outside a provider). - **`ui/src/components/MarkdownBody.tsx`** — reads company prefixes via `useOptionalCompany()` and passes them to the linkifier. The non-throwing read keeps `MarkdownBody` renderable in provider-less surfaces (e.g. standalone/exported markdown). - Tests extended in `issue-reference.test.ts` (gating + remark-plugin cases) and `MarkdownBody.test.tsx` (gating, empty-companies permissive, explicit-path bypass). ## Verification - `pnpm --filter @paperclipai/ui exec vitest run src/lib/issue-reference.test.ts src/components/MarkdownBody.test.tsx` — green (17 + 40 tests). - Full UI suite: `pnpm --filter @paperclipai/ui exec vitest run` — **1161 passed / 183 files**; pre-existing `MarkdownBody` link tests pass unmodified (they hit the permissive `null`-context path), confirming no regression. - `pnpm --filter @paperclipai/ui run typecheck` — clean. - _Screenshots pending — opening as draft; before/after images to follow before marking ready._ - Manual (before/after): in an issue description containing both a real Paperclip identifier and a Jira key — _before_ both render as `/issues/...` links (the Jira one dead); _after_ only the real identifier links and the Jira key is plain text. ## Risks - **Low risk.** No server/API/migration change; pure client rendering logic. - A referenced issue whose company isn't in the viewer's `companies` list stops auto-linking — acceptable, since that internal link wouldn't resolve for that viewer anyway; explicit `/issues/IDENT` references still render. - During initial load (companies not yet fetched) behavior is identical to today (permissive), so no new flicker. ## Model Used - **Anthropic Claude Opus 4.8** (`claude-opus-4-8`), 1M-token context, extended thinking + tool use. Plan authored and implemented with the model; all decisions reviewed by the human contributor. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes (no doc changes required — behavior gated, no public API/doc surface affected) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|
|
d60f50e4a4 |
feat(routines): suppress scheduled ticks while project is paused (TON-2139) (#7502)
Fixes #7501 ## Thinking Path Issue checkout already rejects paused projects (`issues.ts` → 409), but that fires only *after* the routine execution issue exists. Per internal TON-1102, the pause must be honored earlier — at the scheduler tick — so no execution issue is ever created while a project is paused. The fix gates dispatch in `tickScheduledTriggers` on the due routine's `projects.pausedAt`, while preserving normal cron advancement so resume does not backfill missed firings. ## What Changed - `server/src/services/routines.ts`: - `tickScheduledTriggers` LEFT JOINs `projects` and derives `projectPaused` from `projects.pausedAt`. Routines with no project are never suppressed. - When paused: the tick is still claimed and `routineTriggers.nextRunAt` advances by a single cron step (catch-up backfill bypassed while paused — no replay on resume); `recordSuppressedScheduleRun` runs instead of `dispatchRoutineRun`. - New `recordSuppressedScheduleRun` inserts one `routine_runs` row (`source: schedule`, `status: skipped`, `failureReason: paused`, `linkedIssueId: null`, `completedAt` set), updates routine/trigger touched state, and logs a `routine.run_skipped` activity entry. - `nextResultText` gains a `skipped_paused` branch for pause-specific audit text (does not overload the live-issue `skipped` text). - `server/src/__tests__/routines-service.test.ts`: focused test proving all four acceptance criteria (no issue created while paused; one `skipped`/`paused`/null-link run; `nextRunAt` advanced; normal resume on a later unpaused tick). ## Verification ```bash pnpm --filter @paperclipai/server exec tsc --noEmit npx vitest run server/src/__tests__/routines-service.test.ts ``` - The focused test in `routines-service.test.ts` proves all four acceptance criteria: no execution issue is created while the project is paused; exactly one `routine_runs` row is written with `source: schedule` / `status: skipped` / `failureReason: paused` / `linkedIssueId: null`; the trigger's `nextRunAt` advances by a single cron step (missed firings are not backfilled); and a later tick after the project is unpaused dispatches normally. ## Risks - Catch-up backfill is intentionally bypassed while paused — missed firings are **not** replayed on resume (specified no-backfill behavior). - Scope is deliberately narrow: manual runs, webhook/API triggers, routine-level paused status, workspace runtime start/stop, `concurrencyPolicy`, and `catchUpPolicy` (beyond no-backfill) are untouched. ## Model Used claude-opus-4-8 (Paperclip CTO heartbeat) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
|
244a5b8002 |
fix(plugins): allow agent JWTs to access plugin tool endpoints (supersedes #3272, with regression tests from #5549) (#7480)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - Plugin tools are how agents call into plugin-contributed capabilities (`GET /api/plugins/tools`, `POST /api/plugins/tools/execute`) > - Those two routes previously required board-level authentication, so agent-issued JWTs were rejected — agents couldn't actually use the very tools the plugin system was built to expose to them > - Two community PRs (#3272 by @nullEFFORT and #5549 by @aperim-agent) independently fixed this, but both went stale against master and neither could be merged as-is > - This pull request lands #3272's authz-helper approach (`assertBoardOrAgent`) rebased on current master, and adds the regression test suite from #5549 adapted to #3272's symbol names > - The benefit is agents can finally call plugin tools while preserving the existing board-scoped checks for the rest of the plugin admin surface ## What Changed - Adds `assertBoardOrAgent(req)` helper in `server/src/routes/authz.ts` — accepts either a board user or an agent JWT - Applies `assertBoardOrAgent` (in place of `assertBoard`) on `GET /api/plugins/tools` and `POST /api/plugins/tools/execute` so agent-issued tokens can list and execute plugin tools - Updates the file-level doc comment on `server/src/routes/plugins.ts` to note the agent-accessible routes - Adds `server/src/__tests__/plugin-routes-authz.test.ts` (118 lines, 34 cases) covering: agent JWT can list tools, agent JWT can execute within its company scope, agent JWT is rejected when `runContext.companyId` is outside its authenticated scope, agent JWT is rejected when `runContext.agentId` does not belong to `runContext.companyId`, plus the existing board/admin paths ## Verification - \`pnpm vitest run server/src/__tests__/plugin-routes-authz.test.ts\` → **34/34 passing** locally - Diff vs master is exactly 3 files: \`authz.ts\` (+6), \`plugins.ts\` (+5/-3), \`plugin-routes-authz.test.ts\` (+118). No other surfaces touched. ## Risks Low risk. - Authorization is being *widened* on two specific routes (board → board or agent), not narrowed elsewhere. Every other plugin admin route still uses \`assertBoard\` / \`assertInstanceAdmin\` / \`assertBoardOrgAccess\`. - Agent JWTs already encode \`companyId\` and \`agentId\`; the existing \`validateToolRunContextScope\` queue still enforces that an agent cannot execute a tool against a different company or impersonate another agent. Regression coverage for both is included. - No schema, migration, or wire-protocol changes. ## Model Used - Claude (Anthropic), \`claude-opus-4-7\` via Claude Code, extended thinking enabled, tool use enabled. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots — N/A, server-only change - [x] I have updated relevant documentation to reflect my changes (file-level doc comment on \`plugins.ts\`) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge ## Provenance / credit This PR supersedes two community PRs that addressed the same agent-JWT plugin-tools authz gap: - **#3272 by @nullEFFORT** — original \`assertBoardOrAgent\` helper and the two route changes. \`fix: allow agent JWTs to access plugin tool endpoints\` (commit \`6991380\`) is cherry-picked here with author attribution preserved. - **#5549 by @aperim-agent** — regression test suite. Adapted to #3272's symbol names (\`assertBoardOrAgent\`, three-row \`validateToolRunContextScope\` queue) and included here. Both originals went stale against master and could not be force-pushed to the contributor forks from our OAuth-app-scoped tooling (workflow files in our \`master\` introduce a \`workflow\` scope requirement on pushes to those forks). This PR ships the same fix from our own branch so we can land it without that blocker. --------- Co-authored-by: Chad <chad@nulleffort.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
6ac15bce31 |
build(deps-dev): bump esbuild from 0.27.3 to 0.28.0 (#7331)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.3 to 0.28.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.28.0</h2> <ul> <li> <p>Add support for <code>with { type: 'text' }</code> imports (<a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>)</p> <p>The <a href="https://github.com/tc39/proposal-import-text">import text</a> proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by <a href="https://docs.deno.com/examples/importing_text/">Deno</a> and <a href="https://bun.com/docs/guides/runtime/import-html">Bun</a>. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing <a href="https://esbuild.github.io/content-types/#text"><code>text</code> loader</a>. Here's an example:</p> <pre lang="js"><code>import string from './example.txt' with { type: 'text' } console.log(string) </code></pre> </li> <li> <p>Add integrity checks to fallback download path (<a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>)</p> <p>Installing esbuild via npm is somewhat complicated with several different edge cases (see <a href="https://esbuild.github.io/getting-started/#additional-npm-flags">esbuild's documentation</a> for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the <code>npm</code> command, and then with a HTTP request to <code>registry.npmjs.org</code> as a last resort).</p> <p>This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level <code>esbuild</code> package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.</p> </li> <li> <p>Update the Go compiler from 1.25.7 to 1.26.1</p> <p>This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:</p> <ul> <li>It now uses the <a href="https://go.dev/doc/go1.26#new-garbage-collector">new garbage collector</a> that comes with Go 1.26.</li> <li>The Go compiler is now more aggressive with allocating memory on the stack.</li> <li>The executable format that the Go linker uses has undergone several changes.</li> <li>The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.</li> </ul> <p>You can read the <a href="https://go.dev/doc/go1.26">Go 1.26 release notes</a> for more information.</p> </li> </ul> <h2>v0.27.7</h2> <ul> <li> <p>Fix lowering of define semantics for TypeScript parameter properties (<a href="https://redirect.github.com/evanw/esbuild/issues/4421">#4421</a>)</p> <p>The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:</p> <pre lang="ts"><code>// Original code class Foo { constructor(public x = 1) {} y = 2 } <p>// Old output (with --loader=ts --target=es2021)<br /> class Foo {<br /> constructor(x = 1) {<br /> this.x = x;<br /> __publicField(this, "y", 2);<br /> }<br /> x;<br /> }</p> <p>// New output (with --loader=ts --target=es2021)<br /> class Foo {<br /> </code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG.md">esbuild's changelog</a>.</em></p> <blockquote> <h2>0.28.0</h2> <ul> <li> <p>Add support for <code>with { type: 'text' }</code> imports (<a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>)</p> <p>The <a href="https://github.com/tc39/proposal-import-text">import text</a> proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by <a href="https://docs.deno.com/examples/importing_text/">Deno</a> and <a href="https://bun.com/docs/guides/runtime/import-html">Bun</a>. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing <a href="https://esbuild.github.io/content-types/#text"><code>text</code> loader</a>. Here's an example:</p> <pre lang="js"><code>import string from './example.txt' with { type: 'text' } console.log(string) </code></pre> </li> <li> <p>Add integrity checks to fallback download path (<a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>)</p> <p>Installing esbuild via npm is somewhat complicated with several different edge cases (see <a href="https://esbuild.github.io/getting-started/#additional-npm-flags">esbuild's documentation</a> for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the <code>npm</code> command, and then with a HTTP request to <code>registry.npmjs.org</code> as a last resort).</p> <p>This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level <code>esbuild</code> package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.</p> </li> <li> <p>Update the Go compiler from 1.25.7 to 1.26.1</p> <p>This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:</p> <ul> <li>It now uses the <a href="https://go.dev/doc/go1.26#new-garbage-collector">new garbage collector</a> that comes with Go 1.26.</li> <li>The Go compiler is now more aggressive with allocating memory on the stack.</li> <li>The executable format that the Go linker uses has undergone several changes.</li> <li>The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.</li> </ul> <p>You can read the <a href="https://go.dev/doc/go1.26">Go 1.26 release notes</a> for more information.</p> </li> </ul> <h2>0.27.7</h2> <ul> <li> <p>Fix lowering of define semantics for TypeScript parameter properties (<a href="https://redirect.github.com/evanw/esbuild/issues/4421">#4421</a>)</p> <p>The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:</p> <pre lang="ts"><code>// Original code class Foo { constructor(public x = 1) {} y = 2 } <p>// Old output (with --loader=ts --target=es2021)<br /> class Foo {<br /> constructor(x = 1) {<br /> this.x = x;<br /> __publicField(this, "y", 2);<br /> }<br /> x;<br /> }</p> <p></code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/6a794dff68e6a43539f6da671e3080efdf11ca70"><code>6a794df</code></a> publish 0.28.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/64ee0ea63b2ff303caafc9610c388dc72c882c23"><code>64ee0ea</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>: support <code>with { type: text }</code> imports</li> <li><a href="https://github.com/evanw/esbuild/commit/ef65aeeaacdb71eade186f888975b1de89574314"><code>ef65aee</code></a> fix sort order in <code>snapshots_packagejson.txt</code></li> <li><a href="https://github.com/evanw/esbuild/commit/1a26a8ecbc39aaf1379c524a0274a08fbcbed655"><code>1a26a8e</code></a> try to fix <code>test-old-ts</code>, also shuffle CI tasks</li> <li><a href="https://github.com/evanw/esbuild/commit/556ce6c1fc00d7c0917fbfada01ed8e5251bc510"><code>556ce6c</code></a> use <code>''</code> instead of <code>null</code> to omit build hashes</li> <li><a href="https://github.com/evanw/esbuild/commit/8e675a81a473ea69a46a69792f1386bb110dd877"><code>8e675a8</code></a> ci: allow missing binary hashes for tests</li> <li><a href="https://github.com/evanw/esbuild/commit/7067763b904fe8a522fa840a4a48c5fbd4c395e0"><code>7067763</code></a> Reapply "update go 1.25.7 => 1.26.1"</li> <li><a href="https://github.com/evanw/esbuild/commit/39473a952ab3b450d0578b698a8b8d2a02332e0d"><code>39473a9</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>: integrity check for binary download</li> <li><a href="https://github.com/evanw/esbuild/commit/2025c9ff6ab15ba6b0f9d074fd732250cc46e4a3"><code>2025c9f</code></a> publish 0.27.7 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c6b586e4904f47e8d5f783a2813660c13e2672e7"><code>c6b586e</code></a> fix typo in <code>Makefile</code> for <code>@esbuild/win32-x64</code></li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.27.3...v0.28.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
b03e114d89 |
build(deps): bump docker/setup-buildx-action from 3 to 4 (#7322)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <ul> <li>Node 24 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions Runner v2.327.1</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/483">docker/setup-buildx-action#483</a></li> <li>Remove deprecated inputs/outputs by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/464">docker/setup-buildx-action#464</a></li> <li>Switch to ESM and update config/test wiring by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/481">docker/setup-buildx-action#481</a></li> <li>Bump <code>@actions/core</code> from 1.11.1 to 3.0.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/475">docker/setup-buildx-action#475</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.63.0 to 0.79.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/482">docker/setup-buildx-action#482</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/485">docker/setup-buildx-action#485</a></li> <li>Bump js-yaml from 4.1.0 to 4.1.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/452">docker/setup-buildx-action#452</a></li> <li>Bump lodash from 4.17.21 to 4.17.23 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/472">docker/setup-buildx-action#472</a></li> <li>Bump minimatch from 3.1.2 to 3.1.5 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/480">docker/setup-buildx-action#480</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0">https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0</a></p> <h2>v3.12.0</h2> <ul> <li>Deprecate <code>install</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/455">docker/setup-buildx-action#455</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.63.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/434">docker/setup-buildx-action#434</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/436">docker/setup-buildx-action#436</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/432">docker/setup-buildx-action#432</a></li> <li>Bump undici from 5.28.4 to 5.29.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/435">docker/setup-buildx-action#435</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.11.1...v3.12.0">https://github.com/docker/setup-buildx-action/compare/v3.11.1...v3.12.0</a></p> <h2>v3.11.1</h2> <ul> <li>Fix <code>keep-state</code> not being respected by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/429">docker/setup-buildx-action#429</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.11.0...v3.11.1">https://github.com/docker/setup-buildx-action/compare/v3.11.0...v3.11.1</a></p> <h2>v3.11.0</h2> <ul> <li>Keep BuildKit state support by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/427">docker/setup-buildx-action#427</a></li> <li>Remove aliases created when installing by default by <a href="https://github.com/hashhar"><code>@hashhar</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/139">docker/setup-buildx-action#139</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.56.0 to 0.62.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/422">docker/setup-buildx-action#422</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/425">docker/setup-buildx-action#425</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.10.0...v3.11.0">https://github.com/docker/setup-buildx-action/compare/v3.10.0...v3.11.0</a></p> <h2>v3.10.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.54.0 to 0.56.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/408">docker/setup-buildx-action#408</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.9.0...v3.10.0">https://github.com/docker/setup-buildx-action/compare/v3.9.0...v3.10.0</a></p> <h2>v3.9.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.48.0 to 0.54.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/402">docker/setup-buildx-action#402</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/404">docker/setup-buildx-action#404</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.8.0...v3.9.0">https://github.com/docker/setup-buildx-action/compare/v3.8.0...v3.9.0</a></p> <h2>v3.8.0</h2> <ul> <li>Make cloud prefix optional to download buildx if driver is cloud by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/390">docker/setup-buildx-action#390</a></li> <li>Bump <code>@actions/core</code> from 1.10.1 to 1.11.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/370">docker/setup-buildx-action#370</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.39.0 to 0.48.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/389">docker/setup-buildx-action#389</a></li> <li>Bump cross-spawn from 7.0.3 to 7.0.6 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/382">docker/setup-buildx-action#382</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.7.1...v3.8.0">https://github.com/docker/setup-buildx-action/compare/v3.7.1...v3.8.0</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/setup-buildx-action/commit/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5"><code>d7f5e7f</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/489">#489</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/92bc5c9777806d0a73d9d668ba2114fa1177f164"><code>92bc5c9</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/da11e35abee0f20cb4f1c1b7c461d37c29be52f5"><code>da11e35</code></a> build(deps): bump <code>@docker/actions-toolkit</code> from 0.79.0 to 0.90.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/f021e162ef95b6fba51af1c6674f537f25bce851"><code>f021e16</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/492">#492</a> from docker/dependabot/npm_and_yarn/undici-6.24.1</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/b5af94fab700aee0c64d6077e0e34ae987815b67"><code>b5af94f</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/16ad9776a801d0c47f0a05f007b88a3789aa8ab6"><code>16ad977</code></a> build(deps): bump undici from 6.23.0 to 6.25.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/d7a12d7df895b33bd02a9b4bf62a12f2b9a24458"><code>d7a12d7</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/495">#495</a> from docker/dependabot/npm_and_yarn/glob-10.5.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/28ff27de4eed7518d361591f2cd1dfb69c34a7cb"><code>28ff27d</code></a> build(deps): bump glob from 10.3.12 to 13.0.6</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/daf436b50e13d9053b9730cbc16516891878b019"><code>daf436b</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/496">#496</a> from docker/dependabot/npm_and_yarn/fast-xml-parser-5...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/9725348367859764880f2f2e688a6b0c353e3f35"><code>9725348</code></a> chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/setup-buildx-action/compare/v3...v4">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
4c4506fe16 |
build(deps): bump docker/metadata-action from 5 to 6 (#7321)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/metadata-action/releases">docker/metadata-action's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <ul> <li>Node 24 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions Runner v2.327.1</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/605">docker/metadata-action#605</a></li> <li>List inputs now preserve <code>#</code> inside values while still supporting full-line <code>#</code> comments by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/607">docker/metadata-action#607</a></li> <li>Switch to ESM and update config/test wiring by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/602">docker/metadata-action#602</a></li> <li>Bump lodash from 4.17.21 to 4.17.23 in <a href="https://redirect.github.com/docker/metadata-action/pull/588">docker/metadata-action#588</a></li> <li>Bump <code>@actions/core</code> from 1.11.1 to 3.0.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/599">docker/metadata-action#599</a></li> <li>Bump <code>@actions/github</code> from 6.0.1 to 9.0.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/597">docker/metadata-action#597</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.68.0 to 0.79.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/604">docker/metadata-action#604</a></li> <li>Bump <code>@isaacs/brace-expansion</code> from 5.0.0 to 5.0.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/600">docker/metadata-action#600</a></li> <li>Bump semver from 7.7.3 to 7.7.4 in <a href="https://redirect.github.com/docker/metadata-action/pull/603">docker/metadata-action#603</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0">https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0</a></p> <h2>v5.10.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.66.0 to 0.68.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/559">docker/metadata-action#559</a> <a href="https://redirect.github.com/docker/metadata-action/pull/569">docker/metadata-action#569</a></li> <li>Bump js-yaml from 3.14.1 to 3.14.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/564">docker/metadata-action#564</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.9.0...v5.10.0">https://github.com/docker/metadata-action/compare/v5.9.0...v5.10.0</a></p> <h2>v5.9.0</h2> <ul> <li>Add <code>tag-names</code> output to return tag names without image base name by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/553">docker/metadata-action#553</a></li> <li>Bump <code>@babel/runtime-corejs3</code> from 7.14.7 to 7.28.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/539">docker/metadata-action#539</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.66.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/555">docker/metadata-action#555</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/metadata-action/pull/540">docker/metadata-action#540</a></li> <li>Bump csv-parse from 5.6.0 to 6.1.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/532">docker/metadata-action#532</a></li> <li>Bump semver from 7.7.2 to 7.7.3 in in <a href="https://redirect.github.com/docker/metadata-action/pull/554">docker/metadata-action#554</a></li> <li>Bump tmp from 0.2.3 to 0.2.5 in <a href="https://redirect.github.com/docker/metadata-action/pull/541">docker/metadata-action#541</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.8.0...v5.9.0">https://github.com/docker/metadata-action/compare/v5.8.0...v5.9.0</a></p> <h2>v5.8.0</h2> <ul> <li>New <code>is_not_default_branch</code> global expression by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/535">docker/metadata-action#535</a></li> <li>Allow to match part of the git tag or value for semver/pep440 types by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/536">docker/metadata-action#536</a> <a href="https://redirect.github.com/docker/metadata-action/pull/537">docker/metadata-action#537</a></li> <li>Bump <code>@actions/github</code> from 6.0.0 to 6.0.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/523">docker/metadata-action#523</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.56.0 to 0.62.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/526">docker/metadata-action#526</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/metadata-action/pull/533">docker/metadata-action#533</a></li> <li>Bump moment-timezone from 0.5.47 to 0.6.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/525">docker/metadata-action#525</a></li> <li>Bump semver from 7.7.1 to 7.7.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/524">docker/metadata-action#524</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.7.0...v5.8.0">https://github.com/docker/metadata-action/compare/v5.7.0...v5.8.0</a></p> <h2>v5.7.0</h2> <ul> <li>Global expressions support for labels and annotations by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/489">docker/metadata-action#489</a></li> <li>Support disabling outputs as environment variables by <a href="https://github.com/omus"><code>@omus</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/497">docker/metadata-action#497</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.44.0 to 0.56.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/507">docker/metadata-action#507</a> <a href="https://redirect.github.com/docker/metadata-action/pull/509">docker/metadata-action#509</a></li> <li>Bump csv-parse from 5.5.6 to 5.6.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/482">docker/metadata-action#482</a></li> <li>Bump moment-timezone from 0.5.46 to 0.5.47 in <a href="https://redirect.github.com/docker/metadata-action/pull/501">docker/metadata-action#501</a></li> <li>Bump semver from 7.6.3 to 7.7.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/504">docker/metadata-action#504</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.6.1...v5.7.0">https://github.com/docker/metadata-action/compare/v5.6.1...v5.7.0</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/metadata-action/commit/80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9"><code>80c7e94</code></a> Merge pull request <a href="https://redirect.github.com/docker/metadata-action/issues/613">#613</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/metadata-action/commit/8e0ddab90c29de6fff30c787e328563e48106fd0"><code>8e0ddab</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/metadata-action/commit/a8db14bd863c93be08c93c13e1cc816ec5b49b2e"><code>a8db14b</code></a> chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.79.0 to 0.90.0</li> <li><a href="https://github.com/docker/metadata-action/commit/63a7371ee01888324f2c7b3e18be9ac13b9dbdbc"><code>63a7371</code></a> Merge pull request <a href="https://redirect.github.com/docker/metadata-action/issues/617">#617</a> from docker/dependabot/npm_and_yarn/csv-parse-6.2.0</li> <li><a href="https://github.com/docker/metadata-action/commit/c6916a6cf86608c44ba936565d57f550835ecd45"><code>c6916a6</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/metadata-action/commit/aca9205632182712a2d859059cf12fdc9b2ca202"><code>aca9205</code></a> chore(deps): Bump csv-parse from 6.1.0 to 6.2.1</li> <li><a href="https://github.com/docker/metadata-action/commit/9dcfe60f10ebea72e9e48bf8bf366d01629d045a"><code>9dcfe60</code></a> Merge pull request <a href="https://redirect.github.com/docker/metadata-action/issues/629">#629</a> from docker/dependabot/npm_and_yarn/handlebars-4.7.9</li> <li><a href="https://github.com/docker/metadata-action/commit/43dea7677c80686dc31a7b16e61ba9d542081b59"><code>43dea76</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/metadata-action/commit/7a56f5af0aa2d36278ba725bb44091417def9f73"><code>7a56f5a</code></a> chore(deps): Bump handlebars from 4.7.8 to 4.7.9</li> <li><a href="https://github.com/docker/metadata-action/commit/e49e0aa5deac3d581afd6ce80464d84ef68f5ccc"><code>e49e0aa</code></a> Merge pull request <a href="https://redirect.github.com/docker/metadata-action/issues/658">#658</a> from docker/dependabot/npm_and_yarn/brace-expansion-5...</li> <li>Additional commits viewable in <a href="https://github.com/docker/metadata-action/compare/v5...v6">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
ecef71eb13 |
build(deps): bump actions/checkout from 4 to 6 (#7320)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>v6-beta by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2298">actions/checkout#2298</a></li> <li>update readme/changelog for v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2311">actions/checkout#2311</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5.0.0...v6.0.0">https://github.com/actions/checkout/compare/v5.0.0...v6.0.0</a></p> <h2>v6-beta</h2> <h2>What's Changed</h2> <p>Updated persist-credentials to store the credentials under <code>$RUNNER_TEMP</code> instead of directly in the local git config.</p> <p>This requires a minimum Actions Runner version of <a href="https://github.com/actions/runner/releases/tag/v2.329.0">v2.329.0</a> to access the persisted credentials for <a href="https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action">Docker container action</a> scenarios.</p> <h2>v5.0.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5...v5.0.1">https://github.com/actions/checkout/compare/v5...v5.0.1</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2238">actions/checkout#2238</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v5.0.0">https://github.com/actions/checkout/compare/v4...v5.0.0</a></p> <h2>v4.3.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v4.3.1">https://github.com/actions/checkout/compare/v4...v4.3.1</a></p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/df4cb1c069e1874edd31b4311f1884172cec0e10"><code>df4cb1c</code></a> Update changelog for v6.0.3 (<a href="https://redirect.github.com/actions/checkout/issues/2446">#2446</a>)</li> <li><a href="https://github.com/actions/checkout/commit/1cce3390c2bfda521930d01229c073c7ff920824"><code>1cce339</code></a> Fix checkout init for SHA-256 repositories (<a href="https://redirect.github.com/actions/checkout/issues/2439">#2439</a>)</li> <li><a href="https://github.com/actions/checkout/commit/900f2210b1d28bbbd0bd22d17926b9e224e8f231"><code>900f221</code></a> fix: expand merge commit SHA regex and add SHA-256 test cases (<a href="https://redirect.github.com/actions/checkout/issues/2414">#2414</a>)</li> <li><a href="https://github.com/actions/checkout/commit/0c366fd6a839edf440554fa01a7085ccba70ac98"><code>0c366fd</code></a> Update changelog (<a href="https://redirect.github.com/actions/checkout/issues/2357">#2357</a>)</li> <li><a href="https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd"><code>de0fac2</code></a> Fix tag handling: preserve annotations and explicit fetch-tags (<a href="https://redirect.github.com/actions/checkout/issues/2356">#2356</a>)</li> <li><a href="https://github.com/actions/checkout/commit/064fe7f3312418007dea2b49a19844a9ee378f49"><code>064fe7f</code></a> Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...</li> <li><a href="https://github.com/actions/checkout/commit/8e8c483db84b4bee98b60c0593521ed34d9990e8"><code>8e8c483</code></a> Clarify v6 README (<a href="https://redirect.github.com/actions/checkout/issues/2328">#2328</a>)</li> <li><a href="https://github.com/actions/checkout/commit/033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1"><code>033fa0d</code></a> Add worktree support for persist-credentials includeIf (<a href="https://redirect.github.com/actions/checkout/issues/2327">#2327</a>)</li> <li><a href="https://github.com/actions/checkout/commit/c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5"><code>c2d88d3</code></a> Update all references from v5 and v4 to v6 (<a href="https://redirect.github.com/actions/checkout/issues/2314">#2314</a>)</li> <li><a href="https://github.com/actions/checkout/commit/1af3b93b6815bc44a9784bd300feb67ff0d1eeb3"><code>1af3b93</code></a> update readme/changelog for v6 (<a href="https://redirect.github.com/actions/checkout/issues/2311">#2311</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/checkout/compare/v4...v6">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
b91bce3522 |
build(deps): bump pnpm/action-setup from 4 to 6 (#7319)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pnpm/action-setup/releases">pnpm/action-setup's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <p>Added support for pnpm <a href="https://github.com/pnpm/pnpm/releases/tag/v11.0.0-rc.0">v11</a>.</p> <h2>v5.0.0</h2> <p>Updated the action to use Node.js 24.</p> <h2>v4.4.0</h2> <p>Updated the action to use Node.js 24.</p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>docs: fix the run_install example in the Readme by <a href="https://github.com/dreyks"><code>@dreyks</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li> <li>chore: remove unused <code>@types/node-fetch</code> dependency by <a href="https://github.com/silverwind"><code>@silverwind</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li> <li>Clarify that package_json_file is relative to GITHUB_WORKSPACE by <a href="https://github.com/chris-martin"><code>@chris-martin</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li> <li>feat: store caching by <a href="https://github.com/jrmajor"><code>@jrmajor</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li> <li>refactor: remove star imports by <a href="https://github.com/KSXGitHub"><code>@KSXGitHub</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/196">pnpm/action-setup#196</a></li> <li>fix(ci): exclude macos by <a href="https://github.com/KSXGitHub"><code>@KSXGitHub</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/197">pnpm/action-setup#197</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dreyks"><code>@dreyks</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li> <li><a href="https://github.com/silverwind"><code>@silverwind</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li> <li><a href="https://github.com/chris-martin"><code>@chris-martin</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li> <li><a href="https://github.com/jrmajor"><code>@jrmajor</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li> <li><a href="https://github.com/Boosted-Bonobo"><code>@Boosted-Bonobo</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/199">pnpm/action-setup#199</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0">https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0</a></p> <h2>v4.2.0</h2> <p>When there's a <code>.npmrc</code> file at the root of the repository, pnpm will be fetched from the registry that is specified in that <code>.npmrc</code> file <a href="https://redirect.github.com/pnpm/action-setup/pull/179">#179</a></p> <h2>v4.1.0</h2> <p>Add support for <code>package.yaml</code> <a href="https://redirect.github.com/pnpm/action-setup/pull/156">#156</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pnpm/action-setup/commit/0e279bb959325dab635dd2c09392533439d90093"><code>0e279bb</code></a> fix: update pnpm to 11.1.1 (<a href="https://redirect.github.com/pnpm/action-setup/issues/248">#248</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/3e835812ef01165f4f8ae08ade56da44427ed4e0"><code>3e83581</code></a> fix: drop patchPnpmEnv so standalone+self-update works on Windows (<a href="https://redirect.github.com/pnpm/action-setup/issues/258">#258</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/551b42e879e37e74d986effdd2a1647d2b02d464"><code>551b42e</code></a> docs(README): fix <code>cache_dependency_path</code> type (<a href="https://redirect.github.com/pnpm/action-setup/issues/257">#257</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/739bfe42ca9233c5e6aca07c1a25a9d34aca49b0"><code>739bfe4</code></a> fix: self-update bootstrap to packageManager-pinned version (<a href="https://redirect.github.com/pnpm/action-setup/issues/233">#233</a>) (<a href="https://redirect.github.com/pnpm/action-setup/issues/256">#256</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/f61705d907761b3b5209e83910fafd1fea50c5a1"><code>f61705d</code></a> chore: add CODEOWNERS</li> <li><a href="https://github.com/pnpm/action-setup/commit/7a5507b117647ab83e96e9db317ba2234056ebf3"><code>7a5507b</code></a> fix: restore inputs from state in post (<a href="https://redirect.github.com/pnpm/action-setup/issues/255">#255</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/1155470f3e5fb872accd4d104b8dfcda41f676ce"><code>1155470</code></a> fix: honor devEngines.packageManager.onFail=error (<a href="https://redirect.github.com/pnpm/action-setup/issues/252">#252</a>) (<a href="https://redirect.github.com/pnpm/action-setup/issues/254">#254</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/91ab88e2619ed1f46221f0ba42d1492c02baf788"><code>91ab88e</code></a> fix: bin_dest output points to self-updated pnpm, not bootstrap (<a href="https://redirect.github.com/pnpm/action-setup/issues/249">#249</a>)</li> <li><a href="https://github.com/pnpm/action-setup/commit/e578e19d19d31b011b841ba2aca34731a5f706a5"><code>e578e19</code></a> fix: update pnpm to 11.0.4</li> <li><a href="https://github.com/pnpm/action-setup/commit/8912a9102ac27614460f54aedde9e1e7f9aec20d"><code>8912a91</code></a> fix: append (not prepend) action node dir to PATH for npm bootstrap (<a href="https://redirect.github.com/pnpm/action-setup/issues/241">#241</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pnpm/action-setup/compare/v4...v6">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
564d10bcc2 |
build(deps): bump actions/upload-artifact from 4 to 7 (#7318)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> <h2>v6.0.0</h2> <h2>v6 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (<code>runs.using: node24</code>) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>Node.js 24</h3> <p>This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.</p> <h2>What's Changed</h2> <ul> <li>Upload Artifact Node 24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/719">actions/upload-artifact#719</a></li> <li>fix: update <code>@actions/artifact</code> for Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/744">actions/upload-artifact#744</a></li> <li>prepare release v6.0.0 for Node.js 24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/745">actions/upload-artifact#745</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0">https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README.md by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v5.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"><code>043fb46</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/797">#797</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94"><code>634250c</code></a> Include changes in typespec/ts-http-runtime 0.3.5</li> <li><a href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8"><code>e454baa</code></a> Readme: bump all the example versions to v7 (<a href="https://redirect.github.com/actions/upload-artifact/issues/796">#796</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e"><code>74fad66</code></a> Update the readme with direct upload details (<a href="https://redirect.github.com/actions/upload-artifact/issues/795">#795</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li><a href="https://github.com/actions/upload-artifact/commit/b7c566a772e6b6bfb58ed0dc250532a479d7789f"><code>b7c566a</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/745">#745</a> from actions/upload-artifact-v6-release</li> <li><a href="https://github.com/actions/upload-artifact/commit/e516bc8500aaf3d07d591fcd4ae6ab5f9c391d5b"><code>e516bc8</code></a> docs: correct description of Node.js 24 support in README</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v4...v7">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1325503565 |
build(deps): bump @codemirror/lang-javascript from 6.2.4 to 6.2.5 (#7328)
Bumps [@codemirror/lang-javascript](https://github.com/codemirror/lang-javascript) from 6.2.4 to 6.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/codemirror/lang-javascript/blob/main/CHANGELOG.md">@codemirror/lang-javascript's changelog</a>.</em></p> <blockquote> <h2>6.2.5 (2026-03-02)</h2> <h3>Bug fixes</h3> <p>Support code folding of JSX elements and tags.</p> <p>When reading properties in <code>scopeCompletionSource</code>, use the original object, not a prototype.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/codemirror/lang-javascript/commit/a202a000e8d3d107d1c340db933d9f09a828308a"><code>a202a00</code></a> Mark version 6.2.5</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/190b567c8066a4383826b9a32e3a53f3ed01e442"><code>190b567</code></a> Fix missing inherited getters in enumeratePropertyCompletions</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/a94cdcb88454738842564881d6980502f0bfc784"><code>a94cdcb</code></a> Add folding for JSX elements and tags</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/78a85210d83c41bef23c222425f2ebf3d4353e2d"><code>78a8521</code></a> Use git+https format for package.json repository field</li> <li>See full diff in <a href="https://github.com/codemirror/lang-javascript/compare/6.2.4...6.2.5">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
2a77c65189 |
build(deps-dev): bump @tailwindcss/vite from 4.1.18 to 4.3.0 (#7327)
Bumps [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) from 4.1.18 to 4.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases">@tailwindcss/vite's releases</a>.</em></p> <blockquote> <h2>v4.3.0</h2> <h3>Added</h3> <ul> <li>Add <code>@container-size</code> utility (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18901">#18901</a>)</li> <li>Add <code>scrollbar-{auto,thin,none}</code> utilities for <code>scrollbar-width</code>, and <code>scrollbar-thumb-*</code> / <code>scrollbar-track-*</code> color utilities for <code>scrollbar-color</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19981">#19981</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20019">#20019</a>)</li> <li>Add <code>scrollbar-gutter-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20018">#20018</a>)</li> <li>Add <code>zoom-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20020">#20020</a>)</li> <li>Add <code>tab-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20022">#20022</a>)</li> <li>Allow using <code>@variant</code> with stacked variants (e.g. <code>@variant hover:focus { … }</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19996">#19996</a>)</li> <li>Allow using <code>@variant</code> with compound variants (e.g. <code>@variant hover, focus { … }</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19996">#19996</a>)</li> <li>Support <code>--default(…)</code> in <code>--value(…)</code> and <code>--modifier(…)</code> for functional <code>@utility</code> definitions (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19989">#19989</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Ensure <code>@plugin</code> resolves package JavaScript entries instead of browser CSS entries when using <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19949">#19949</a>)</li> <li>Fix relative <code>@import</code> and <code>@plugin</code> paths resolving from the wrong directory when using <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19965">#19965</a>)</li> <li>Ensure CSS files containing <code>@variant</code> are processed by <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19966">#19966</a>)</li> <li>Resolve imports relative to <code>base</code> when <code>result.opts.from</code> is not provided when using <code>@tailwindcss/postcss</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19980">#19980</a>)</li> <li>Canonicalization: preserve significant <code>_</code> whitespace in arbitrary values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19986">#19986</a>)</li> <li>Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. <code>w-[calc(100%---spacing(60))]</code> → <code>w-[calc(100%-(--spacing(60)))]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19986">#19986</a>)</li> <li>Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. <code>-mt-[20in]</code> → <code>mt-[-20in]</code>, not <code>mt-[-1920px]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19988">#19988</a>)</li> <li>Canonicalization: migrate arbitrary <code>:has()</code> variants from <code>[&:has(…)]</code> to <code>has-[…]</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19991">#19991</a>)</li> <li>Upgrade: don’t migrate inline <code>style</code> attributes (e.g. <code>style="flex-grow: 1"</code> → <code>style="flex-grow: 1"</code>, not <code>style="grow: 1"</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19918">#19918</a>)</li> <li>Allow multiple <code>@utility</code> definitions with the same name but different value types (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19777">#19777</a>)</li> <li>Export missing <code>PluginWithConfig</code> type from <code>tailwindcss/plugin</code> to fix errors when inferring plugin config types (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19707">#19707</a>)</li> <li>Ensure <code>start</code> and <code>end</code> legacy utilities without values do not generate CSS (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20003">#20003</a>)</li> <li>Ensure <code>--value(…)</code> is required in functional <code>@utility</code> definitions (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20005">#20005</a>)</li> <li>Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. <code>-left-[(var(--a)+var(--b))]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20011">#20011</a>)</li> </ul> <h2>v4.2.4</h2> <h3>Fixed</h3> <ul> <li>Ensure imports in <code>@import</code> and <code>@plugin</code> still resolve correctly when using Vite aliases in <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19947">#19947</a>)</li> </ul> <h2>v4.2.3</h2> <h3>Fixed</h3> <ul> <li>Canonicalization: improve canonicalizations for <code>tracking-*</code> utilities by preferring non-negative utilities (e.g. <code>-tracking-tighter</code> → <code>tracking-wider</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19827">#19827</a>)</li> <li>Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19829">#19829</a>)</li> <li>Ensure query params in imports are considered unique resources when using <code>@tailwindcss/webpack</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19723">#19723</a>)</li> <li>Canonicalization: collapse arbitrary values into shorthand utilities (e.g. <code>px-[1.2rem] py-[1.2rem]</code> → <code>p-[1.2rem]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19837">#19837</a>)</li> <li>Canonicalization: collapse <code>border-{t,b}-*</code> into <code>border-y-*</code>, <code>border-{l,r}-*</code> into <code>border-x-*</code>, and <code>border-{t,r,b,l}-*</code> into <code>border-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>scroll-m{t,b}-*</code> into <code>scroll-my-*</code>, <code>scroll-m{l,r}-*</code> into <code>scroll-mx-*</code>, and <code>scroll-m{t,r,b,l}-*</code> into <code>scroll-m-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>scroll-p{t,b}-*</code> into <code>scroll-py-*</code>, <code>scroll-p{l,r}-*</code> into <code>scroll-px-*</code>, and <code>scroll-p{t,r,b,l}-*</code> into <code>scroll-p-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>overflow-{x,y}-*</code> into <code>overflow-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>overscroll-{x,y}-*</code> into <code>overscroll-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Read from <code>--placeholder-color</code> instead of <code>--background-color</code> for <code>placeholder-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19843">#19843</a>)</li> <li>Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19846">#19846</a>)</li> <li>Upgrade: use <code>config.content</code> when migrating from Tailwind CSS v3 to Tailwind CSS v4 (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19846">#19846</a>)</li> <li>Upgrade: never migrate files that are ignored by git (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19846">#19846</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md">@tailwindcss/vite's changelog</a>.</em></p> <blockquote> <h2>[4.3.0] - 2026-05-08</h2> <h3>Added</h3> <ul> <li>Add <code>@container-size</code> utility (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18901">#18901</a>)</li> <li>Add <code>scrollbar-{auto,thin,none}</code> utilities for <code>scrollbar-width</code>, and <code>scrollbar-thumb-*</code> / <code>scrollbar-track-*</code> color utilities for <code>scrollbar-color</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19981">#19981</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20019">#20019</a>)</li> <li>Add <code>scrollbar-gutter-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20018">#20018</a>)</li> <li>Add <code>zoom-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20020">#20020</a>)</li> <li>Add <code>tab-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20022">#20022</a>)</li> <li>Allow using <code>@variant</code> with stacked variants (e.g. <code>@variant hover:focus { … }</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19996">#19996</a>)</li> <li>Allow using <code>@variant</code> with compound variants (e.g. <code>@variant hover, focus { … }</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19996">#19996</a>)</li> <li>Support <code>--default(…)</code> in <code>--value(…)</code> and <code>--modifier(…)</code> for functional <code>@utility</code> definitions (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19989">#19989</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Ensure <code>@plugin</code> resolves package JavaScript entries instead of browser CSS entries when using <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19949">#19949</a>)</li> <li>Fix relative <code>@import</code> and <code>@plugin</code> paths resolving from the wrong directory when using <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19965">#19965</a>)</li> <li>Ensure CSS files containing <code>@variant</code> are processed by <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19966">#19966</a>)</li> <li>Resolve imports relative to <code>base</code> when <code>result.opts.from</code> is not provided when using <code>@tailwindcss/postcss</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19980">#19980</a>)</li> <li>Canonicalization: preserve significant <code>_</code> whitespace in arbitrary values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19986">#19986</a>)</li> <li>Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. <code>w-[calc(100%---spacing(60))]</code> → <code>w-[calc(100%-(--spacing(60)))]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19986">#19986</a>)</li> <li>Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. <code>-mt-[20in]</code> → <code>mt-[-20in]</code>, not <code>mt-[-1920px]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19988">#19988</a>)</li> <li>Canonicalization: migrate arbitrary <code>:has()</code> variants from <code>[&:has(…)]</code> to <code>has-[…]</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19991">#19991</a>)</li> <li>Upgrade: don’t migrate inline <code>style</code> attributes (e.g. <code>style="flex-grow: 1"</code> → <code>style="flex-grow: 1"</code>, not <code>style="grow: 1"</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19918">#19918</a>)</li> <li>Allow multiple <code>@utility</code> definitions with the same name but different value types (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19777">#19777</a>)</li> <li>Export missing <code>PluginWithConfig</code> type from <code>tailwindcss/plugin</code> to fix errors when inferring plugin config types (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19707">#19707</a>)</li> <li>Ensure <code>start</code> and <code>end</code> legacy utilities without values do not generate CSS (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20003">#20003</a>)</li> <li>Ensure <code>--value(…)</code> is required in functional <code>@utility</code> definitions (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20005">#20005</a>)</li> <li>Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. <code>-left-[(var(--a)+var(--b))]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/20011">#20011</a>)</li> </ul> <h2>[4.2.4] - 2026-04-21</h2> <h3>Fixed</h3> <ul> <li>Ensure imports in <code>@import</code> and <code>@plugin</code> still resolve correctly when using Vite aliases in <code>@tailwindcss/vite</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19947">#19947</a>)</li> </ul> <h2>[4.2.3] - 2026-04-20</h2> <h3>Fixed</h3> <ul> <li>Canonicalization: improve canonicalization for <code>tracking-*</code> utilities by preferring non-negative utilities (e.g. <code>-tracking-tighter</code> → <code>tracking-wider</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19827">#19827</a>)</li> <li>Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19829">#19829</a>)</li> <li>Ensure query params in imports are considered unique resources when using <code>@tailwindcss/webpack</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19723">#19723</a>)</li> <li>Canonicalization: collapse arbitrary values into shorthand utilities (e.g. <code>px-[1.2rem] py-[1.2rem]</code> → <code>p-[1.2rem]</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19837">#19837</a>)</li> <li>Canonicalization: collapse <code>border-{t,b}-*</code> into <code>border-y-*</code>, <code>border-{l,r}-*</code> into <code>border-x-*</code>, and <code>border-{t,r,b,l}-*</code> into <code>border-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>scroll-m{t,b}-*</code> into <code>scroll-my-*</code>, <code>scroll-m{l,r}-*</code> into <code>scroll-mx-*</code>, and <code>scroll-m{t,r,b,l}-*</code> into <code>scroll-m-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>scroll-p{t,b}-*</code> into <code>scroll-py-*</code>, <code>scroll-p{l,r}-*</code> into <code>scroll-px-*</code>, and <code>scroll-p{t,r,b,l}-*</code> into <code>scroll-p-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>overflow-{x,y}-*</code> into <code>overflow-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Canonicalization: collapse <code>overscroll-{x,y}-*</code> into <code>overscroll-*</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19842">#19842</a>)</li> <li>Read from <code>--placeholder-color</code> instead of <code>--background-color</code> for <code>placeholder-*</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/19843">#19843</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/588bd7371f4cae96426e1387819b7fd1d99765f9"><code>588bd73</code></a> 4.3.0 (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/20023">#20023</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/d194d4c3e656313421f1cfa1954db8f58eec0fcd"><code>d194d4c</code></a> docs: fix various typos in comments and documentation (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19878">#19878</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/db27049caaae08978995f25b61f8336f543a4640"><code>db27049</code></a> fix(<code>@tailwindcss/vite</code>): include <a href="https://github.com/variant"><code>@variant</code></a> in feature detection (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19966">#19966</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/5a799900d4b43ca4902398a38c6f0a5b37a98ed9"><code>5a79990</code></a> Always resolve relative files, relative to the current .css file (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19965">#19965</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/f3fdda2a5cb9de50c897c79003aa58182cd9269b"><code>f3fdda2</code></a> fix(vite): avoid resolving JS plugins to browser CSS entries (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19949">#19949</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/69ad7cc5ec091125842aba783c5bfce536e9c234"><code>69ad7cc</code></a> 4.2.4 (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19948">#19948</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/685c19e266a6b75842747acab6fe7076e82df62d"><code>685c19e</code></a> Fix issue around resolving paths in <code>@tailwindcss/vite</code> (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19947">#19947</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/2e3fa490a535a8341fd2853d75098f0d4dbcc825"><code>2e3fa49</code></a> 4.2.3 (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19944">#19944</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/5cb1efdf416a6d37012d31cc1306c41cb35bbdc1"><code>5cb1efd</code></a> fix(vite): resolve tsconfig paths in CSS and JS resolvers (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19803">#19803</a>)</li> <li><a href="https://github.com/tailwindlabs/tailwindcss/commit/d596b0c43d36ad5099c983930fb155e089cbc291"><code>d596b0c</code></a> 4.2.2 (<a href="https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite/issues/19821">#19821</a>)</li> <li>Additional commits viewable in <a href="https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@tailwindcss/vite</code> since your current version.</p> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
06ce7ec5b0 |
build(deps): bump dompurify from 3.3.2 to 3.4.8 (#7326)
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.2 to 3.4.8. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.8</h2> <ul> <li>Cleaned up the repository root, renamed some and removed unneeded files</li> <li>Fixed an issue with handling of Trusted Types policies, thanks <a href="https://github.com/fulstadev"><code>@fulstadev</code></a></li> <li>Fixed the node iterator for better template scrubbing, thanks <a href="https://github.com/IamLeandrooooo"><code>@IamLeandrooooo</code></a></li> <li>Included formerly missing LICENSE-MPL in published npm package, thanks <a href="https://github.com/asamuzaK"><code>@asamuzaK</code></a></li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.7</h2> <ul> <li>Hardened the handling of Shadow Roots when using <code>IN_PLACE</code>, thanks <a href="https://github.com/GameZoneHacker"><code>@GameZoneHacker</code></a></li> <li>Removed a problem leading to permanent hook pollution, thanks <a href="https://github.com/offset"><code>@offset</code></a></li> <li>Refactored the test suite and expanded test coverage significantly</li> </ul> <h2>DOMPurify 3.4.6</h2> <ul> <li>Fixed several issues with DOM Clobbering in <code>IN_PLACE</code> mode, thanks <a href="https://github.com/offset"><code>@offset</code></a> & <a href="https://github.com/Bankde"><code>@Bankde</code></a></li> <li>Hardened the checks for cross-realm <code>IN_PLACE</code> and Shadow DOM sanitization, thanks <a href="https://github.com/offset"><code>@offset</code></a> & <a href="https://github.com/Bankde"><code>@Bankde</code></a></li> <li>Added more test coverage for <code>IN_PLACE</code> and general DOM Clobbering attacks</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.5</h2> <ul> <li>Fixed a bypass caused by the new HTML element <code>selectedcontent</code> added in 3.4.4, thanks <a href="https://github.com/KabirAcharya"><code>@KabirAcharya</code></a></li> </ul> <p><strong>Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.</strong></p> <h2>DOMPurify 3.4.4</h2> <ul> <li>Added the <code>selectedcontent</code> element to default allow-list, thanks <a href="https://github.com/lukewarlow"><code>@lukewarlow</code></a></li> <li>Added the <code>command</code> and <code>commandfor</code> attributes to default allowed-list, thanks <a href="https://github.com/lukewarlow"><code>@lukewarlow</code></a></li> <li>Added better template scrubbing for <code>IN_PLACE</code> operations, thanks <a href="https://github.com/DEMON1A"><code>@DEMON1A</code></a></li> <li>Added stronger checks for cross-realm windows, thanks <a href="https://github.com/DEMON1A"><code>@DEMON1A</code></a> & <a href="https://github.com/fg0x0"><code>@fg0x0</code></a></li> <li>Updated demo website and made sure it uses the latest from main</li> <li>Updated existing workflows, fuzzer, dependabot, etc., added more tests</li> <li>Bumped several dependencies where possible</li> </ul> <p>🚨 <strong>This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead</strong> 🚨</p> <h2>DOMPurify 3.4.3</h2> <ul> <li>Fixed an issue with handling of nested Shadow DOM trees, thanks <a href="https://github.com/fishjojo1"><code>@fishjojo1</code></a></li> <li>Fixed the template regexes to be more robust against ReDoS attacks, thanks <a href="https://github.com/aleung27"><code>@aleung27</code></a></li> <li>Updated the node iteration code to catch more Shadow DOM related issues</li> <li>Updated Playwright and added Node 26 to test matrix</li> <li>Updated existing workflows, fuzzer, release signing, etc., added more tests</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.2</h2> <ul> <li>Fixed an issue with URI validation on attributes allowed via <code>ADD_ATTR</code> callback, thanks <a href="https://github.com/nelstrom"><code>@nelstrom</code></a></li> <li>Fixed an issue with source maps referring to non-existing files, thanks <a href="https://github.com/cmdcolin"><code>@cmdcolin</code></a></li> <li>Updated existing workflows, fuzzer, release signing, etc., added more tests</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.1</h2> <ul> <li>Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (<code>font-face</code>, <code>color-profile</code>, <code>missing-glyph</code>, <code>font-face-src</code>, <code>font-face-uri</code>, <code>font-face-format</code>, <code>font-face-name</code>) under permissive <code>CUSTOM_ELEMENT_HANDLING</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/bcdd8285412dc9c4c149652aed2d712e790d6ccf"><code>bcdd828</code></a> release: 3.4.8 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1439">#1439</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/ca30f070c360df162a3e3848e80e6fd3c9e74bff"><code>ca30f07</code></a> release: 3.4.7 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1414">#1414</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/bb7739e5bccec7e1ab3dae3f3e42d02db3acaaae"><code>bb7739e</code></a> release: 3.4.6 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1394">#1394</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/011b0c78f2a0f57ee54f5fcccb697a46ca6e63ea"><code>011b0c7</code></a> release: 3.4.5 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1382">#1382</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5817ad969c15e67dfcd6cb37248d6e9c1553e7c3"><code>5817ad9</code></a> release: 3.4.4 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1374">#1374</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/520edb0371a9638f9b51f1798051299a250c686b"><code>520edb0</code></a> release: 3.4.3 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1352">#1352</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6f67fd396a7b8c64294343999fe607ca1f5299c0"><code>6f67fd3</code></a> Sync/3.4.2 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1322">#1322</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5b0cdbbf52331e854c0a2de875b1a3790ecec2b8"><code>5b0cdbb</code></a> chore: merge main into 3.x for 3.4.1 release (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1301">#1301</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/09f59115a311469de5b625225760593e551f080a"><code>09f5911</code></a> test: added three more browsers to test setup (OSX, mobile)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5b16e0b892e82b1779d62b9928b43c4c4ff290b9"><code>5b16e0b</code></a> Getting 3.x branch ready for 3.4.0 release (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1250">#1250</a>)</li> <li>Additional commits viewable in <a href="https://github.com/cure53/DOMPurify/compare/3.3.2...3.4.8">compare view</a></li> </ul> </details> <details> <summary>Install script changes</summary> <p>This version adds <code>prepare</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
3d9bd326c9 |
build(deps): bump react-router-dom from 7.13.0 to 7.16.0 (#7325)
Bumps [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) from 7.13.0 to 7.16.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md">react-router-dom's changelog</a>.</em></p> <blockquote> <h2>v7.16.0</h2> <h3>Patch Changes</h3> <ul> <li>Remove stale/invalid <code>unpkg</code> field from <code>package.json</code>. This was removed from other packages with the release of v7 but missed in the <code>react-router-dom</code> re-export package (<a href="https://redirect.github.com/remix-run/react-router/pull/15075">#15075</a>)</li> <li>Updated dependencies: <ul> <li><a href="https://github.com/remix-run/react-router/releases/tag/react-router@7.16.0"><code>react-router@7.16.0</code></a></li> </ul> </li> </ul> <h2>v7.15.1</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><a href="https://github.com/remix-run/react-router/releases/tag/react-router@7.15.1"><code>react-router@7.15.1</code></a></li> </ul> </li> </ul> <h2>v7.15.0</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><a href="https://github.com/remix-run/react-router/releases/tag/react-router@7.15.0"><code>react-router@7.15.0</code></a></li> </ul> </li> </ul> <h2>v7.14.2</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><a href="https://github.com/remix-run/react-router/releases/tag/react-router@7.14.2"><code>react-router@7.14.2</code></a></li> </ul> </li> </ul> <h2>v7.14.1</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><a href="https://github.com/remix-run/react-router/releases/tag/react-router@7.14.1"><code>react-router@7.14.1</code></a></li> </ul> </li> </ul> <h2>7.14.0</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><code>react-router@7.14.0</code></li> </ul> </li> </ul> <h2>7.13.2</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies: <ul> <li><code>react-router@7.13.2</code></li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/remix-run/react-router/commit/8984d23f86ca7ae5655711744b77816090bda4e6"><code>8984d23</code></a> Release v7.16.0 (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/15105">#15105</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/3ed77afcde0ad9aea79f1afe5f05a700b201f289"><code>3ed77af</code></a> chore: format</li> <li><a href="https://github.com/remix-run/react-router/commit/e96962bc6159a2290632849b55872a3878753342"><code>e96962b</code></a> fix: remove stale unpkg field from react-router-dom (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/15075">#15075</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/587d08fca6ca61e00f44c1eda95bf6e6a9ab76ef"><code>587d08f</code></a> Release v7.15.1 (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/15038">#15038</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/97c8de79c38f107acd15f74d8295c7bf75894a5d"><code>97c8de7</code></a> Release v7.15.0 (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/15018">#15018</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/cf1d25003aa1217dc21c16e95d483601940ae9af"><code>cf1d250</code></a> Release v7.14.2 (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/14993">#14993</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/197674ba9fc1b72b452e17894e5e783bdab7a087"><code>197674b</code></a> Release 7.14.1 (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/14973">#14973</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/a87774f997d8ba497c97562840f0766250c3e4ce"><code>a87774f</code></a> Add new release process (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/14916">#14916</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/e31077b0c380d9764dbced4c753e9ff99387045d"><code>e31077b</code></a> chore: Update version for release (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/14945">#14945</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/6683e85a9d7d607a45a3f6374afcc598a474f602"><code>6683e85</code></a> chore: Update version for release (pre) (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom/issues/14943">#14943</a>)</li> <li>Additional commits viewable in <a href="https://github.com/remix-run/react-router/commits/react-router-dom@7.16.0/packages/react-router-dom">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
cc938d0366 |
build(deps): bump @assistant-ui/react from 0.12.23 to 0.14.13 (#7324)
Bumps [@assistant-ui/react](https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react) from 0.12.23 to 0.14.13. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/assistant-ui/assistant-ui/releases">@assistant-ui/react's releases</a>.</em></p> <blockquote> <h2><code>@assistant-ui/react</code><a href="https://github.com/0"><code>@0</code></a>.14.13</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4176">#4176</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a> - feat: add the <code>ToolkitDeclaration</code> / <code>ToolkitDeclarationDefinition</code> types for authoring a toolkit permissively (a backend tool may declare <code>description</code>/<code>parameters</code>/<code>execute</code>); the canonical <code>Toolkit</code> keeps those fields erased. Author with <code>defineToolkit()</code> from <code>@assistant-ui/react</code>, which the <code>"use generative"</code> compiler strips per build. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4176">#4176</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a> - feat: move the <code>defineToolkit</code> and <code>hitl</code> use-generative markers from <code>@assistant-ui/next</code> into <code>@assistant-ui/core/react</code>, so they ship once from every distribution (<code>@assistant-ui/react</code>, <code>@assistant-ui/react-native</code>, <code>@assistant-ui/react-ink</code>) and stay portable across build targets. Import them from <code>@assistant-ui/react</code> instead of <code>@assistant-ui/next</code>; they remain no-op markers stripped at build time by a <code>"use generative"</code> compiler. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a>]:</p> <ul> <li>assistant-stream@0.3.19</li> <li><code>@assistant-ui/core</code><a href="https://github.com/0"><code>@0</code></a>.2.9</li> </ul> </li> </ul> <h2><code>@assistant-ui/react-langgraph</code><a href="https://github.com/0"><code>@0</code></a>.14.4</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4125">#4125</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/e639a11838642aa111644077ba51acf6277051f2"><code>e639a11</code></a> - chore: drop tracker-behaviour explainer comments left behind in satellite runtimes (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</li> </ul> <h2><code>@assistant-ui/react</code><a href="https://github.com/0"><code>@0</code></a>.14.11</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4125">#4125</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/e639a11838642aa111644077ba51acf6277051f2"><code>e639a11</code></a> - chore: drop tracker-behaviour explainer comments left behind in satellite runtimes (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</li> </ul> <h2><code>@assistant-ui/react</code><a href="https://github.com/0"><code>@0</code></a>.14.9</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4120">#4120</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/372d4f0c538a766fd9a849fef74e413dde86d74a"><code>372d4f0</code></a> - feat: simplify <code>MessagePrimitive.GroupedParts</code> API and add <code>groupPartByType</code> helper. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> <ul> <li>New <code>groupPartByType({ ... })</code> helper builds a <code>groupBy</code> from a <code>part.type → group-key path</code> lookup. The map keys are typed against <code>PartState["type"]</code> (autocomplete + typo rejection), missing keys leave the part ungrouped, and the returned function carries an internal memo fingerprint so the tree survives unrelated re-renders even when reconstructed inline.</li> <li>Special map key <code>"mcp-app"</code> matches tool-call parts that point at an assistant-ui MCP app resource (<code>ui://...</code>). It takes precedence over the <code>"tool-call"</code> entry for those parts, so MCP apps can be routed separately (e.g. rendered outside a chain-of-thought wrapper).</li> <li><code>groupBy</code> signature simplified from <code>(part, index, parts) => string | string[] | null | undefined</code> to <code>(part) => readonly \</code>group-${string}`[] | null<code>. The 2nd/3rd args were unused in practice. Arrays are required (no bare-string shorthand); </code>null<code>is accepted as an alias for</code>[]` to soften the migration.</li> <li>Internal memoization now uses the helper's memo fingerprint when present, otherwise rebuilds the tree per render (O(n), cheap). The previous "pass a stable reference" advice is dropped — inline <code>groupBy</code> is fine.</li> <li>Docs and examples updated to lead with <code>groupPartByType</code>. The <code>getMcpAppFromToolPart</code> branch in <code>packages/ui</code> switches to <code>"mcp-app": []</code> via the helper.</li> </ul> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4107">#4107</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/32ae846a91b61eccd01330693868a48f2f3bb0c4"><code>32ae846</code></a> - feat: surface AI SDK v6 tool approvals as a first-class <code>respondToApproval</code> prop on tool components. tool-call parts in the <code>approval-requested</code> state now carry <code>part.approval = { id, isAutomatic? }</code>; tool components call <code>respondToApproval({ approved, reason? })</code> to ack the gate without threading <code>chatHelpers</code> through application context. also fixes a transient <code>requires-action</code> flicker for the <code>approval-responded</code> state and tightens the external-message converter so interrupt vs pending tool calls are distinguished by an actual <code>interrupt</code>/<code>approval</code> field rather than by <code>result === undefined</code>. (<a href="https://github.com/okisdev"><code>@okisdev</code></a>)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/assistant-ui/assistant-ui/commit/372d4f0c538a766fd9a849fef74e413dde86d74a"><code>372d4f0</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/d4f1db428b1a1fe5c122150e1e366a377e9adb5f"><code>d4f1db4</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/32ae846a91b61eccd01330693868a48f2f3bb0c4"><code>32ae846</code></a>]:</p> <ul> <li><code>@assistant-ui/core</code><a href="https://github.com/0"><code>@0</code></a>.2.6</li> <li>assistant-stream@0.3.17</li> </ul> </li> </ul> <h2><code>@assistant-ui/react-syntax-highlighter</code><a href="https://github.com/0"><code>@0</code></a>.14.1</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4085">#4085</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/01244a56026ee92bd4e49cb985136f9eb6d45154"><code>01244a5</code></a> - chore: update dependencies (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/assistant-ui/assistant-ui/commit/b02b7012cff158b4e73b82503b9ea90638b7398d"><code>b02b701</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/0a0c306286598ea885b046a1dfb85016f720051c"><code>0a0c306</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/01244a56026ee92bd4e49cb985136f9eb6d45154"><code>01244a5</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/f2ec01ce0f01317a8444b779d88f9b6a26d691c5"><code>f2ec01c</code></a>]:</p> <ul> <li><code>@assistant-ui/react</code><a href="https://github.com/0"><code>@0</code></a>.14.8</li> <li><code>@assistant-ui/react-markdown</code><a href="https://github.com/0"><code>@0</code></a>.14.1</li> </ul> </li> </ul> <h2><code>@assistant-ui/react-langgraph</code><a href="https://github.com/0"><code>@0</code></a>.14.2</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/3967">#3967</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/0a0c306286598ea885b046a1dfb85016f720051c"><code>0a0c306</code></a> - feat(core, react): add <code>MessagePrimitive.GenerativeUI</code> primitive (<a href="https://github.com/samdickson22"><code>@samdickson22</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/assistant-ui/assistant-ui/blob/main/packages/react/CHANGELOG.md">@assistant-ui/react's changelog</a>.</em></p> <blockquote> <h2>0.14.13</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4176">#4176</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a> - feat: add the <code>ToolkitDeclaration</code> / <code>ToolkitDeclarationDefinition</code> types for authoring a toolkit permissively (a backend tool may declare <code>description</code>/<code>parameters</code>/<code>execute</code>); the canonical <code>Toolkit</code> keeps those fields erased. Author with <code>defineToolkit()</code> from <code>@assistant-ui/react</code>, which the <code>"use generative"</code> compiler strips per build. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4176">#4176</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a> - feat: move the <code>defineToolkit</code> and <code>hitl</code> use-generative markers from <code>@assistant-ui/next</code> into <code>@assistant-ui/core/react</code>, so they ship once from every distribution (<code>@assistant-ui/react</code>, <code>@assistant-ui/react-native</code>, <code>@assistant-ui/react-ink</code>) and stay portable across build targets. Import them from <code>@assistant-ui/react</code> instead of <code>@assistant-ui/next</code>; they remain no-op markers stripped at build time by a <code>"use generative"</code> compiler. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a>, <a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a>]:</p> <ul> <li>assistant-stream@0.3.19</li> <li><code>@assistant-ui/core</code><a href="https://github.com/0"><code>@0</code></a>.2.9</li> </ul> </li> </ul> <h2>0.14.12</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4172">#4172</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/13157895e4d69ad4266d6ab278edfc2e3ea1de92"><code>1315789</code></a> - feat: add the <code>ToolkitDeclaration</code> / <code>ToolkitDeclarationDefinition</code> types for authoring a toolkit permissively (a backend tool may declare <code>description</code>/<code>parameters</code>/<code>execute</code>); the canonical <code>Toolkit</code> keeps those fields erased. Author with <code>defineToolkit()</code> from <code>@assistant-ui/next</code>, which the <code>"use generative"</code> compiler strips per build. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4151">#4151</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/299d4488c8a5bbec0679680866f5975055fe71b3"><code>299d448</code></a> - chore: drop stale <code>biome-ignore</code> pragmas now that the repo lints with oxlint (<a href="https://github.com/okisdev"><code>@okisdev</code></a>)</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4136">#4136</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/4429aa32f6bd4fd50a7a8ddbad1e19f6ccad192b"><code>4429aa3</code></a> - centralize thread-level shared options forwarding across runtime wrapper hooks. follow-up to <a href="https://redirect.github.com/assistant-ui/assistant-ui/issues/4135">#4135</a>. (<a href="https://github.com/okisdev"><code>@okisdev</code></a>)</p> <p>new public exports from <code>@assistant-ui/core</code> (re-exported from <code>@assistant-ui/react</code>):</p> <ul> <li><code>ExternalStoreSharedOptions</code>, a typed <code>Pick</code> over <code>ExternalStoreAdapter</code> covering the four thread-level optional fields every wrapper forwards: <code>isDisabled</code>, <code>isSendDisabled</code>, <code>unstable_capabilities</code>, <code>suggestions</code>.</li> <li><code>pickExternalStoreSharedOptions(options)</code>, plucks those four fields from a wider options object. the body uses <code>satisfies Required<...></code> so adding a key to the type without copying it in the function is a compile error rather than a silent missing-field bug.</li> <li><code>useExternalStoreSharedOptions(options)</code> (from <code>@assistant-ui/core/react</code>), a memoized variant for wrappers that wrap their store in <code>useMemo</code>. lets the wrapper list a single stable <code>shared</code> reference as a dep instead of enumerating the four fields. same <code>satisfies</code> guard internally so the destructure stays in sync with the type.</li> </ul> <p>internal: every runtime wrapper hook (<code>useChatRuntime</code>, <code>useAISDKRuntime</code>, <code>useLangGraphRuntime</code>, <code>useA2ARuntime</code>, <code>useAgUiRuntime</code>, <code>useAdkRuntime</code>, <code>useStreamRuntime</code>, <code>useOpenCodeRuntime</code>) now uses these helpers instead of inlining the conditional spreads added in <a href="https://redirect.github.com/assistant-ui/assistant-ui/issues/4135">#4135</a>. each wrapper sheds 20 to 40 lines of duplicated declarations and conditional spreads; future additions to the shared option set propagate through a single edit in <code>pickExternalStoreSharedOptions</code> instead of touching every wrapper. no user-facing behavior change.</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4141">#4141</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/0b999594ff30ded9f804896093eab0478ac5ce46"><code>0b99959</code></a> - fix(react): stop subtree mutations from snapping a scrolled-up viewport back to bottom; loosen at-bottom threshold for high-DPR displays (<a href="https://github.com/vaniyokk"><code>@vaniyokk</code></a>)</p> <p><code>useThreadViewportAutoScroll</code> had two related bugs surfaced on Chrome macOS at <code>devicePixelRatio: 2</code>:</p> <ol> <li>subtree mutations snapped the viewport back to bottom after the user scrolled away. <code>scrollingToBottomBehaviorRef</code> was planted on <code>thread.runStart</code> / <code>useOnScrollToBottom</code> / initialize / thread switch and only cleared in <code>handleScroll</code> once <code>newIsAtBottom</code> became true. while the ref stayed set, every non-style subtree mutation (a Radix <code>data-state</code> flip, a markdown re-render, an image lazy-load, an attribute toggle on a child) re-entered <code>useOnResizeContent</code>'s callback and called <code>scrollToBottom(scrollBehavior)</code>, locking the viewport to the bottom until reload.</li> <li><code>isAtBottom</code> never registered as <code>true</code> on high-DPR displays. <code>Math.abs(scrollHeight - scrollTop - clientHeight) < 1</code> is strict-less-than, and Chrome macOS at <code>devicePixelRatio: 2</code> clips <code>scrollTop</code> one pixel short of <code>scrollHeight - clientHeight</code> (<code>Math.abs(1) < 1 === false</code>), so the store never updated and <code>ScrollToBottom</code> never moved into its disabled state.</li> </ol> <p>the fix combines two layers. <code>handleScroll</code> now tracks <code>lastScrollHeight</code> alongside <code>lastScrollTop</code> and releases the auto-stick intent when the user scrolls up with content size unchanged, ruling out content-driven scrollTop shifts. the resize callback also bails when neither <code>scrollHeight</code> nor <code>clientHeight</code> has changed since the last fire, so mutations that don't move layout never re-enter the snap path. at-bottom auto-follow during streaming is preserved (verified by appending a synthetic 600px child while scrolled to bottom; viewport follows to new bottom). the threshold becomes <code><= 1</code> to absorb the 1px sub-pixel clip.</p> <p>closes <a href="https://redirect.github.com/assistant-ui/assistant-ui/issues/4140">#4140</a>.</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4160">#4160</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/e76611fcb80a39d7b6071d82bcfaf1bb7345110b"><code>e76611f</code></a> - feat: add <code>indicator</code> support to <code>MessagePrimitive.GroupedParts</code>. (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> <p>Restores loading-state handling that was dropped from the grouped renderer. <code>GroupedParts</code> now emits a synthetic <code>{ part: { type: "indicator" } }</code> render call you handle with <code>case "indicator"</code> in your <code>switch (part.type)</code> — render a "thinking…" dot or any loading affordance.</p> <ul> <li>The indicator is only ever emitted while the message is <strong>running</strong>, so its presence alone means "render loading UI here" — there's no <code>status</code> to branch on.</li> <li>New <code>indicator</code> prop restricts which running states qualify: <code>"never"</code>, <code>"empty"</code> (no parts yet), <code>"no-text"</code> (default — last part isn't <code>text</code>/<code>reasoning</code>, e.g. the model ended on a tool call), or <code>"always"</code> (any running state).</li> </ul> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4162">#4162</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/eef724efe4a9075337577c626d7ea7aead45cfbe"><code>eef724e</code></a> - fix: drop phantom sibling messages when an external store swaps an optimistic message id mid-run (<a href="https://redirect.github.com/assistant-ui/assistant-ui/issues/4037">#4037</a>). (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> <p>Messages can now be flagged <code>metadata.isOptimistic</code>. Optimistic messages are treated as ephemeral: they only ever live on the current head branch (the repository evicts off-branch optimistic messages whenever the head moves) and they are never written to persisted state (<code>export()</code> omits them). The AI SDK v6 adapter flags the streaming assistant message as optimistic, so when its client-generated id is replaced by a server-provided one mid-run, the stale placeholder no longer lingers as a phantom branch (e.g. <code>BranchPicker</code> showing <code>2/2</code> on a turn the user never branched). Unlike the reverted blanket id-diff (<a href="https://redirect.github.com/assistant-ui/assistant-ui/issues/4040">#4040</a>), only explicitly-optimistic messages are affected, so legitimate <code>onEdit</code> / <code>onReload</code> / <code>switchToBranch</code> branches are preserved.</p> </li> <li> <p><a href="https://redirect.github.com/assistant-ui/assistant-ui/pull/4175">#4175</a> <a href="https://github.com/assistant-ui/assistant-ui/commit/2dec3aeba0431178f4ca26e470b304f5a89390ba"><code>2dec3ae</code></a> - chore: update dependencies (<a href="https://github.com/Yonom"><code>@Yonom</code></a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/426c4acd6eeb81c2b4ef8368eb7669f1fe03f431"><code>426c4ac</code></a> chore: update versions (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4177">#4177</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/27ae936dec6dc5d05d21fd892af0a8e1db61928e"><code>27ae936</code></a> feat: move use-generative markers to core/react, extract the compiler, add <a href="https://github.com/a"><code>@a</code></a>...</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/275aef6774a4118a186abb39afda220ce4aa9a58"><code>275aef6</code></a> chore: update versions (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4129">#4129</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/2dec3aeba0431178f4ca26e470b304f5a89390ba"><code>2dec3ae</code></a> chore: update dependencies (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4175">#4175</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/eef724efe4a9075337577c626d7ea7aead45cfbe"><code>eef724e</code></a> fix: drop phantom siblings on optimistic message id swap (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4037">#4037</a>) (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4162">#4162</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/13157895e4d69ad4266d6ab278edfc2e3ea1de92"><code>1315789</code></a> feat: add <code>@assistant-ui/next</code> + "use generative" toolkit support (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4172">#4172</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/fcb6baf161a9ee7dda65191e0b42de12b368724d"><code>fcb6baf</code></a> feat(core): tool <code>display</code> hint + <code>standalone-tool-call</code> grouping (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4167">#4167</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/299d4488c8a5bbec0679680866f5975055fe71b3"><code>299d448</code></a> chore: drop stale biome-ignore pragmas after migrating to oxlint (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4151">#4151</a>)</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/0b999594ff30ded9f804896093eab0478ac5ce46"><code>0b99959</code></a> fix(react): release auto-stick intent on user scroll-up; fix retina at-bottom...</li> <li><a href="https://github.com/assistant-ui/assistant-ui/commit/4429aa32f6bd4fd50a7a8ddbad1e19f6ccad192b"><code>4429aa3</code></a> refactor: centralize thread-level shared options helper (<a href="https://github.com/assistant-ui/assistant-ui/tree/HEAD/packages/react/issues/4136">#4136</a>)</li> <li>Additional commits viewable in <a href="https://github.com/assistant-ui/assistant-ui/commits/@assistant-ui/react@0.14.13/packages/react">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
07ec29bd84 |
build(deps): bump ajv from 8.18.0 to 8.20.0 (#7323)
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.18.0 to 8.20.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ajv-validator/ajv/releases">ajv's releases</a>.</em></p> <blockquote> <h2>v8.20.0</h2> <h2>What's Changed</h2> <ul> <li>fix: add support for node 22/24, drop node 16/21 by <a href="https://github.com/jasoniangreen"><code>@jasoniangreen</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2580">ajv-validator/ajv#2580</a></li> <li>fix: add ES2022.RegExp for RegExpIndicesArray by <a href="https://github.com/SignpostMarv"><code>@SignpostMarv</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2604">ajv-validator/ajv#2604</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ajv-validator/ajv/compare/v8.19.0...v8.20.0">https://github.com/ajv-validator/ajv/compare/v8.19.0...v8.20.0</a></p> <h2>v8.19.0</h2> <h2>What's Changed</h2> <ul> <li>fix prototype pollution via format keyword using $data ref by <a href="https://github.com/epoberezkin"><code>@epoberezkin</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2607">ajv-validator/ajv#2607</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ajv-validator/ajv/compare/v8.18.0...v8.19.0">https://github.com/ajv-validator/ajv/compare/v8.18.0...v8.19.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ajv-validator/ajv/commit/0fba0b8e649909613cfce0999b149cd08f4a4987"><code>0fba0b8</code></a> 8.20.0</li> <li><a href="https://github.com/ajv-validator/ajv/commit/9caf8d64409b05e2c670b3ff09cf7ca07937342e"><code>9caf8d6</code></a> fix: add ES2022.RegExp for RegExpIndicesArray; fixes <a href="https://redirect.github.com/ajv-validator/ajv/issues/2603">ajv-validator/ajv#2603</a> (...</li> <li><a href="https://github.com/ajv-validator/ajv/commit/206535071f776f57737394c8896d4b2dc2bfb9a3"><code>2065350</code></a> fix: add support for node 22/24, drop node 16/21 (<a href="https://redirect.github.com/ajv-validator/ajv/issues/2580">#2580</a>)</li> <li><a href="https://github.com/ajv-validator/ajv/commit/154b58d690c6596e09ca676e12720ab8234ee3d2"><code>154b58d</code></a> 8.19.0</li> <li><a href="https://github.com/ajv-validator/ajv/commit/e8d2bdc501b3ba6f03922db5e595770d4763d9da"><code>e8d2bdc</code></a> test/fix prototype pollution via $data ref with format keyword (<a href="https://redirect.github.com/ajv-validator/ajv/issues/2607">#2607</a>)</li> <li>See full diff in <a href="https://github.com/ajv-validator/ajv/compare/v8.18.0...v8.20.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
69e513efe1 |
ci(dependabot): bundle npm patch/minor updates by dependency type (#7483)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - Dependabot keeps the JS/TS dependency tree up to date so the agents and UI run on supported package versions > - When a sibling package family shares peer dependencies (lexical core + `@lexical/*`, `@codemirror/*`, `@radix-ui/*`, `@assistant-ui/*`, etc.), bumping one without the others leaves the lockfile with two installed copies of the core package > - That trips TypeScript: nodes from one version are not assignable to types from the other, and the UI build fails — observed concretely on PR #7330 (lexical 0.35 → 0.45) once PAPA-490 stopped masking it > - The first cut (per-scope `groups` for each sibling-package family) works but requires maintenance whenever a new scope is added > - This pull request goes broader: it groups *all* npm patch/minor updates by dependency type (production vs development), so any sibling-package family is bundled regardless of scope > - The benefit is a single weekly PR per dep type, no per-scope maintenance, and no more partial peer bumps ## What Changed - Replaced the lexical-specific `groups` entry with two type-based groups in `.github/dependabot.yml`: - `production-dependencies`: bundles all patch/minor `dependencies` updates into one PR - `development-dependencies`: bundles all patch/minor `devDependencies` updates into one PR - Majors continue to land as individual PRs (and are already ignored by the existing `version-update:semver-major` rule). ## Verification - After merge, the next Dependabot run (Monday 06:00 weekly, or on `@dependabot recreate`) should open at most two new npm PRs — `chore(deps): bump the production-dependencies group` and `chore(deps-dev): bump the development-dependencies group` — each combining many bumps. The existing per-package PRs (#7318–#7331) will be closed and superseded by the grouped PRs. - Sanity-check by inspecting the resulting lockfile diff: `lexical` and `@lexical/link` should always move together to the same version. ## Risks - Low risk for CI config itself. The trade-off is larger weekly PRs that are harder to bisect when one bump breaks the batch — but Dependabot also publishes per-package failure reports inside the grouped PR, so triage stays tractable. - If a future package genuinely needs to stay ungrouped (e.g. a noisy one that breaks often), it can be moved out via `exclude-patterns` on the group. ## Model Used - Claude (Anthropic), claude-opus-4-7, tool-use enabled. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass — N/A, YAML-only CI config change - [ ] I have added or updated tests where applicable — N/A - [ ] If this change affects the UI, I have included before/after screenshots — N/A - [ ] I have updated relevant documentation to reflect my changes — N/A - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge |
||
|
|
93206f73fa |
fix: Stop archived companies from waking agents (#7478)
## Thinking Path
> - Paperclip orchestrates AI agents for zero-human companies
> - Each agent has a heartbeat scheduler that wakes it on timers and on
events; every wake spawns an adapter (Claude / Codex / …) run that bills
the operator's subscription
> - When an operator archives a company, the agents inside it remain in
invokable states — the heartbeat scheduler never consults company status
— so timers keep firing and event-driven wakes (comments, mentions,
blockers-resolved, etc.) keep cascading
> - On real deployments this silently drains the operator's
subscription: idle archived companies wake their CEOs hourly, plus any
cross-company event cascade
> - This pull request enforces "archived ⇒ never spawns a run" as a
structural invariant by guarding the wake path AND cascading agent state
on archive/reactivate
> - The benefit is that archived companies stop billing the operator,
and the UI/queue stays consistent with the invariant
## What Changed
- `server/src/services/heartbeat.ts`:
- `enqueueWakeup()` loads the company and short-circuits when status is
not `active`. Background sources (timer, automation, events) write a
`company.inactive` skipped wake and return `null`; explicit user invokes
throw a `conflict` so the UI surfaces the real reason.
- `tickTimers()` joins agents to active companies so the scheduler does
not iterate archived-company agents at all (no skip-row noise).
- `server/src/services/companies.ts`:
- `archive(id, actor?)` pauses runnable agents with `pauseReason =
"company_archived"` inside the transaction (preserving
`pending_approval`, `terminated`, and agents paused for unrelated
reasons), then cancels `queued`/`running` heartbeat runs after the
transaction commits.
- `update(id, data, actor?)` reverses the cascade only for agents whose
`pauseReason === "company_archived"` on the `archived → active`
transition; manually-paused agents stay paused.
- Both methods emit activity-log entries (`company.archived` with
`agentsPaused` + `runsCancelled`, `company.reactivated` with
`agentsRestored`) so the audit trail fires regardless of caller.
- `packages/shared/src/constants.ts` + `server/src/services/budgets.ts`:
add `company_archived` to the legal `PauseReason` union so the
restorable marker is a first-class value.
-
`packages/db/src/migrations/0094_backfill_archived_company_agent_pauses.sql`:
backfill so existing archived-company agents become `paused /
company_archived` (excludes `pending_approval`).
- `ui/src/lib/activity-format.ts`: add the `company.reactivated` label.
## Verification
- `npx vitest run src/__tests__/companies-service.test.ts` — archive
cascade, reactivate cascade, and activity-log entries (with counts) all
pass.
- `npx vitest run
src/__tests__/heartbeat-archived-company-guard.test.ts` — timer +
on-demand + event-wake paths all blocked for archived companies;
`company.inactive` skipped-wake row written; user-initiated wakes throw
`conflict`.
- `pnpm typecheck` — clean.
- Manual repro from the bug description: archive a company, wait an
interval / post a comment on one of its issues, observe zero new
heartbeat runs.
## Risks
- Migration `0094` is a single bulk UPDATE on `agents` joined to
archived `companies`. On large deployments it briefly holds row locks on
archived-company agent rows; should be quick because the predicate is
narrow (`status NOT IN (paused, terminated, pending_approval)` and
`companies.status = 'archived'`).
- New `pauseReason` value (`company_archived`) is opaque to older
clients that only know the previous union. Acceptable because the union
is read as plain text and the contract is sync'd in the same change.
- Behavior change for users: invoking an agent in an archived company
now fails with a conflict instead of silently spawning a run. Intended.
## Model Used
- Claude (Anthropic) — model `claude-opus-4-7` ("Opus 4.7"), Claude Code
CLI, with tool use (Read/Edit/Bash/Grep). No extended thinking mode.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [ ] If this change affects the UI, I have included before/after
screenshots — N/A, no UI changes beyond an activity-log label string
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
## Related Work
Fixes #1348 (`[Bug] Archived companies still running heartbeats and
consuming tokens`).
Prior attempts and parallel work in this area:
- #1365 and #1429 by @hungdqdesign (March 2026) — both closed without
merging. Same three-layer shape (`tickTimers` / `enqueueWakeup` /
`resumeQueuedRuns` + archive-route cancellation) targeting #1348. Credit
for first publicly proposing the wake-path-guard approach.
- #5865 by @stubbi (May 2026, open) — adds the same `companies.status !=
'archived'` joins to `tickTimers`, `enqueueWakeup`, `resumeQueuedRuns`,
**and** routines `tickScheduledTriggers`, bundled with plugin-table
tenant isolation (`plugin_entities` / `plugin_job_runs` / `plugin_logs`
/ `plugin_webhook_deliveries` get a `companyId` FK with `ON DELETE
CASCADE`). This PR is narrower — it does not touch routines or plugin
tables — but adds the **archive cascade** (pause agents with
`pauseReason = "company_archived"`), the **reactivate reverse**
(un-pause only that subset), the **`company_archived` pause-reason
marker**, and a **backfill migration** for pre-existing archived
companies, which #5865 does not include. Happy to coordinate sequencing
or rebase if #5865 lands first.
|
||
|
|
62863126a3 |
fix(plugin-tool-dispatcher): propagate pluginDbId so worker.isRunning resolves (#5671)
Fixes #2391 Fixes #3394 Fixes #4094 Fixes #5501 Fixes #5916 Fixes #6215 Fixes #6514 ## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - Plugins extend the platform by registering agent-callable tools backed by long-running worker processes > - `PluginToolDispatcher` is the boundary between the HTTP `/api/plugins/tools/execute` route and `PluginWorkerManager`, which owns those worker processes > - `PluginWorkerManager` keys live workers by the plugin's **database UUID**, but `plugin-loader` was registering tools using only `pluginKey` — so every tool call did `workerManager.isRunning(pluginKey)` and always got `false` > - As a result, every `POST /api/plugins/tools/execute` against a tool-exposing plugin returned 502 `worker for plugin X is not running`, even though the worker process was alive (hit in production by `vexion.council-chat`; `mem0-sync` would be next) > - This pull request threads the DB UUID through the dispatcher → registry hop and hardens the contract so omitting the UUID is a compile-time error, not a silent fallback > - The benefit is plugin tool execution actually works for any plugin declaring `manifest.tools[]`, and the type system prevents the same bug from recurring ## What Changed - `server/src/services/plugin-loader.ts` — pass in-scope `pluginId` (DB UUID) as the third argument to `toolDispatcher.registerPluginTools`. Single-line root fix. - `server/src/services/plugin-tool-dispatcher.ts` — `registerPluginTools` now takes `pluginDbId: string` (required, was optional). JSDoc updated to document the worker-routing contract and why the optional signature masked the bug. - `server/src/services/plugin-tool-registry.ts` — `registerPlugin` throws on missing/empty `pluginDbId` so any new call site that forgets the UUID fails immediately rather than silently falling back to `pluginKey`. - `server/src/__tests__/plugin-tool-dispatcher-pluginDbId.test.ts` — new focused regression suite covering the activation path, disable→enable lifecycle, worker re-spawn, and the empty-UUID guard. ## Verification - `pnpm vitest run server/src/__tests__/plugin-tool-dispatcher-pluginDbId.test.ts` — 6/6 passing. - `pnpm vitest run server/src/__tests__/plugin-database.test.ts server/src/__tests__/plugin-routes-authz.test.ts server/src/__tests__/plugin-lifecycle-restart.test.ts` — 48/48 passing on the merge commit. - `pnpm --filter @paperclipai/server typecheck` — no new errors introduced by these files. - Manual repro path: 1. Install a plugin that declares `manifest.tools[]` and uses `runWorker`. 2. Confirm status `ready` and a live worker (`paperclipai plugin diagnostics <key>`). 3. `POST /api/plugins/tools/execute` with `{ tool: "<pluginKey>:<toolName>", parameters, runContext }`. 4. Pre-fix: HTTP 502, `worker for plugin <key> is not running`. Post-fix: tool dispatches normally. ## Risks - Low risk. The signature tightening (`pluginDbId?` → `pluginDbId`) is a back-compatible behavioral fix at the only production call site (`plugin-loader`), which already had the UUID in scope. - Test/recovery paths that previously omitted the UUID must now supply it; the new error message identifies the missing arg explicitly. - No database migration, no API/schema change, no plugin-author-facing change. - The merge commit pulls master into the PR branch additively (no rebase); reviewers can read the fix commits independently of the merge. ## Model Used - Provider/model: Anthropic Claude (Opus 4.7, `claude-opus-4-7`) for the additive merge-conflict resolution, PR description rewrite, and Greptile follow-up; original fix authored by [@Ramon-nassa](https://github.com/Ramon-nassa). - Capabilities used: tool use (file edit, shell, GitHub CLI), extended thinking off, no code execution by the model. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots (N/A — server-only change) - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --- ## Original Summary (preserved from contributor) `plugin-loader` activates plugins and calls ```ts toolDispatcher.registerPluginTools(pluginKey, manifest) ``` with only two args. `PluginToolDispatcher.registerPluginTools` forwards them to `registry.registerPlugin(pluginKey, manifest)`. The registry falls back `pluginDbId ?? pluginKey`, but `PluginWorkerManager` keys live workers by the DB UUID — so the downstream ```ts workerManager.isRunning(pluginKey) // always false ``` causes every `POST /api/plugins/tools/execute` to fail with `worker for plugin X is not running`, even when the worker process is alive and healthy. **This hits every plugin that exposes tools** (we hit it in `vexion.council-chat`; `mem0-sync` would too). Reported-by: Vexion / Ramon Nassar (vexion.council-chat plugin, MO-068). --------- Co-authored-by: ramon nassar <ramon@tabs.co> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Devin Foley <devin@devinfoley.com> Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
c369d3d357 |
fix: exempt Dependabot PRs from manual-lockfile block and quality gates (#7457)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies, including how we ship the public `paperclip` repo itself > - The `PR` and `commitperclip PR Review` workflows are the CI gating layer that decides whether any pull request — human or bot — can be merged to `master` > - Dependabot opens dependency PRs that always carry a `pnpm-lock.yaml` diff and an auto-generated PR body, but our `policy` job hard-fails any non-`chore/refresh-lockfile` lockfile change, and our `commitperclip` quality gate requires a Thinking-Path / What-Changed / Verification / Risks / Model template Dependabot can't produce > - Because `policy` fails first, every downstream lane (`Build`, `Typecheck + Release Registry`, `General tests`, `Verify serialized server`, `Canary Dry Run`, `e2e`, and the required `verify` check) skips and `verify` fails — so we never see whether the upgrade is actually safe > - Socket.dev (PR Alerts + Project Report) and Snyk already run on every dependency PR and are the supply-chain compensating control against malicious upgrades; the missing piece is just letting our own build/test signal run so a human can merge with confidence > - This pull request adds a narrow Dependabot bypass to the two gates that block on lockfile diffs and PR-template prose, while leaving every other policy and security check active > - The benefit is that Dependabot PRs like #7331 will now run the full PR matrix, giving reviewers real evidence to approve or reject — without weakening any check that targets supply-chain or build-correctness risk ## What Changed - `.github/workflows/pr.yml` — extended the existing `chore/refresh-lockfile` bypass on the `policy` job's "Block manual lockfile edits" step to also skip when `github.actor == 'dependabot[bot]'`. Every other policy step (Dockerfile deps stage validation, `no-git-push` enforcement, release-package map check, release bootstrap, manifest-driven `pnpm install --lockfile-only` resolution) keeps running on Dependabot PRs. - `.github/workflows/commitperclip-review.yml` — gated the `Run quality gates` step and the dependent `Fail if quality gates failed` step on `github.event.pull_request.user.login != 'dependabot[bot]'`. `Run security gates` (`check-pr-security.mjs`) stays unconditional so supply-chain visibility into Dependabot lockfile churn is preserved. No changes to `.github/scripts/*.mjs` — keeping the bypass at the workflow level avoids churning unit-tested code. ## Verification - CI on this PR: `policy` should pass and the downstream lanes (`Build`, `Typecheck + Release Registry`, `General tests`, `Verify serialized server`, `Canary Dry Run`, `e2e`, `verify`) should all run normally (this PR isn't from Dependabot, so the bypass condition is false — proves we didn't accidentally widen the exemption). - After merge, ask Dependabot to rebase #7331 (`@dependabot rebase`) and confirm: - `PR / policy` → `success` (lockfile step now `skipped`, other policy steps `success`) - `PR / Build`, `PR / Typecheck + Release Registry`, `PR / General tests (server|workspaces-a|workspaces-b)`, `PR / Verify serialized server (1/4..4/4)`, `PR / Canary Dry Run`, `PR / e2e` → all execute (none `skipped`) - `PR / verify` → `success` once the matrix passes - `commitperclip PR Review / review` → `success` (quality-gates steps `skipped` for Dependabot; security gates ran) - Socket and Snyk checks unchanged - Local sanity-check: `git diff origin/master..HEAD` shows only the two workflow files, 7 added / 2 removed lines. ## Risks - **Auto-merging a poisoned dep.** Mitigated by Socket.dev + Snyk + human merge approval. This change only affects CI gating, not who clicks "Merge". - **Spoofing `github.actor` as `dependabot[bot]`.** GitHub sets `github.actor` from the push actor; spoofing requires a compromised Dependabot install token, which is the same threat model that already lets an attacker push anything to a Dependabot-controlled branch — not a new risk surface. - **Policy "Validate dependency resolution when manifests change" step running `pnpm install --lockfile-only --no-frozen-lockfile` on a Dependabot lockfile.** That step intentionally uses `--lockfile-only`, so it only verifies the manifest resolves and does not push or commit the result. Existing behavior is unchanged. - Low overall: the diff is two workflow-level `if:` conditions in steps that already had bypasses. ## Model Used - Provider: Anthropic Claude (via Claude Code in the Paperclip executor) - Model ID: claude-opus-4-7 - Context window: 200K - Reasoning mode: standard tool-use; no extended thinking required for this change - Capabilities used: file edit, bash, GraphQL/REST API calls - Plan was drafted, approved by board, and split into child issues before implementation; see [PAPA-490](https://paperclip.ing/PAPA/issues/PAPA-490) for the planning thread. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass (this change is workflow-only — no code under test; lint via `yamllint` clean) - [x] I have added or updated tests where applicable (workflow gating; no script changes, no unit-testable surface) - [x] If this change affects the UI, I have included before/after screenshots (no UI changes) - [x] I have updated relevant documentation to reflect my changes (no docs reference these gates) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge |
||
|
|
03e1e3abd2 |
Revert "Remove linked-issue gate from commitperclip" (#7426)
Reverts paperclipai/paperclip#7423 Decided to keep this in place so we can automate issue reproduction in the future. We all make mistakes. Even me, if you can believe it. |
||
|
|
70b1a9109d |
Improve CLI API parity coverage (#6626)
## Thinking Path > - Paperclip is a control plane for AI-agent companies, with the CLI acting as a scriptable operator and agent interface to that control plane. > - The REST API surface has grown across companies, agents, issues, routines, plugins, auth, workspaces, secrets, and operational inspection commands. > - The CLI had drifted from that API surface: some commands were missing, some command shapes differed from docs/reference material, and several edge cases only failed during end-to-end local-source testing. > - The local development runbook requires these tests to be disposable and isolated from a real `~/.paperclip`, `~/.codex`, or `~/.claude` installation. > - This pull request adds broad CLI/API parity coverage, fixes the actionable bugs found during that pass, and records the reproducible test log under `doc/logs`. > - The benefit is a more complete, scriptable CLI surface with regression coverage for the command families exercised by the parity run. ## What Changed - Added or expanded CLI command coverage for access/auth, companies, agents, projects, goals, issues and subresources, routines, plugins, workspaces, activity/run/cost/dashboard inspection, assets, skills, secrets, tokens, prompt/wake flows, and local setup helpers. - Fixed CLI/API parity bugs found during the run, including context profile patching, issue interaction optional payloads, malformed tree-hold errors, environment duplicate handling, configure invalid-section exit codes, worktree pnpm invocation, token agent ID resolution, plugin tool worker lookup, and routine webhook secret cleanup. - Added missing CLI wrappers and route coverage for health/access, invite resolution URL forwarding, join status normalization, secret lifecycle commands, LLM docs routes, available-skill isolation, positive board-claim coverage, and interactive `connect` prompt-flow tests. - Added a schema-backed `/api/openapi.json` route sufficient for CLI parity and `paperclipai openapi --json` smoke coverage. - Added `doc/logs/2026-05-24-cli-api-parity-e2e-log.md` with the detailed living test/bug log and renamed the log directory from `doc/bugs` to `doc/logs`. - Added `doc/plans/2026-05-23-cli-api-parity.md` and the OpenAPI parity reference used during the pass. OpenAPI note: this PR intentionally does not try to subsume `feature/openapi-spec`. The OpenAPI implementation here is schema-backed and better than the earlier route-inventory stub, but `feature/openapi-spec` is the fuller/better OpenAPI branch because it includes exact mounted-route coverage tests and additional current route coverage. That branch should stay as its own PR and can supersede this OpenAPI route implementation. ## Verification Targeted automated checks run: - `pnpm exec vitest run server/src/__tests__/openapi-routes.test.ts` - `pnpm exec vitest run server/src/__tests__/board-claim.test.ts` - `pnpm exec vitest run cli/src/__tests__/connect.test.ts` - `pnpm exec vitest run cli/src/__tests__/agent-lifecycle.test.ts` - `pnpm exec vitest run server/src/__tests__/plugin-database.test.ts` - `pnpm exec vitest run server/src/__tests__/routines-service.test.ts` - `pnpm --dir cli typecheck` - `pnpm --dir server typecheck` Manual/local E2E verification: - Ran the full disposable local-source CLI/API parity pass with isolated `PAPERCLIP_HOME`, `PAPERCLIP_CONFIG`, `PAPERCLIP_CONTEXT`, `PAPERCLIP_AUTH_STORE`, `CODEX_HOME`, and `CLAUDE_HOME` under `tmp/cli-api-parity`. - Verified `DATABASE_URL` and `DATABASE_MIGRATION_URL` stayed unset for the scratch server. - Verified live health and schema-backed OpenAPI responses on non-default port `3197`. - Revoked created board/agent tokens and cleaned up temporary plugins, secrets, non-default environments, and project workspaces. - See `doc/logs/2026-05-24-cli-api-parity-e2e-log.md` for the full command-by-command reproduction log. Not run: - Full `pnpm test`, `pnpm test:run`, or `pnpm build` were not run after the entire branch because the branch is broad and the parity pass used focused test/typecheck verification plus live isolated CLI reruns. ## Risks - This is a broad PR and touches many CLI command modules, so review surface is high. The changes are grouped around one theme, but a split may be easier if maintainers prefer narrower PRs. - The OpenAPI route in this PR is not the final/best OpenAPI implementation. `feature/openapi-spec` has stronger exact-route coverage and should remain the source for the dedicated OpenAPI PR. - The living log is intentionally detailed and large. It is useful for reproducibility but adds documentation weight. - No UI changes are intended; screenshots are not applicable. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5-based coding agent in Codex desktop. Exact served model/context-window identifier was not exposed in the local app. Work used shell/Git/GitHub CLI tooling, local source inspection, targeted test execution, and live isolated Paperclip CLI/API smoke testing. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Devin Foley <devin@devinfoley.com> |
||
|
|
68401f82f3 |
Remove linked-issue gate from commitperclip (#7423)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The `commitperclip` PR quality gates enforce hygiene on every PR before merge > - One of those gates required PRs to link to a tracking issue, which adds friction for small/internal changes that don't need a tracker entry > - The repository owner decided the linked-issue requirement is no longer the right default > - This pull request removes the linked-issue gate (the script, its tests, and the orchestrator wiring) > - The benefit is fewer false-failing PR checks and one less mandatory authoring step ## What Changed - Deleted `.github/scripts/check-pr-linked-issue.mjs` - Deleted `.github/scripts/tests/check-pr-linked-issue.test.mjs` - Removed the `checkLinkedIssue` import, the `Promise.resolve(checkLinkedIssue(...))` entry in the `Promise.all` block, the `issueResult` destructured binding, and the `...issueResult.failures` spread from `.github/scripts/run-quality-gates.mjs` ## Verification - `node --test .github/scripts/tests/*.test.mjs` — 72/72 tests pass across the remaining 4 gate suites - `git grep -n 'check-pr-linked-issue\|checkLinkedIssue\|check-pr-linked'` — no matches - Inspected `run-quality-gates.mjs` — no orphaned `issueResult` references ## Risks - Low risk. Pure removal of one optional gate; the `.github/workflows/commitperclip-review.yml` workflow only invokes the orchestrator and needs no changes. PR template and `CONTRIBUTING.md` do not mention linked issues, so no docs change is required. ## Model Used - Claude (Anthropic), `claude-opus-4-7`, extended-thinking mode, tool use enabled ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable (existing gate-suite tests still pass; removed gate's tests deleted with it) - [x] If this change affects the UI, I have included before/after screenshots (n/a — CI script change) - [x] I have updated relevant documentation to reflect my changes (no docs reference the removed gate) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
d58a862549 |
fix(issues): coerce anchor.createdAt to Date before postgres binding (PRO-3144) (#5220)
## Thinking Path > - Paperclip orchestrates AI agents in a control plane backed by Postgres + drizzle-orm > - `listComments` is the cursor-paginated comment listing on the issues service; the cursor branch uses Drizzle's `gt`/`lt`/`eq` against `issueComments.createdAt` > - On postgres.js v3.4.8, passing a `Date` instance through the comparison helpers triggers `TypeError [ERR_INVALID_ARG_TYPE]: The "string" argument must be of type string or an instance of Buffer or ArrayBuffer. Received an instance of Date` > - The driver's binding path expects a Date constructed via the standard runtime, but drizzle's `select` returns instances that don't satisfy that check in this version > - This PR coerces `anchor.createdAt` through `toISOString()` → `new Date(...)` so the comparison helpers always receive a binding-safe Date, then folds in a follow-up that hoists the Date into a single allocation reused across all four `gt`/`lt`/`eq` call sites > - The benefit is `listComments` cursor pagination stops 500-ing on Pg v3.4.8 with one Date allocation per call instead of four, exercised by both ascending and descending cursor tests ## What Changed - `server/src/services/issues.ts` — coerce `anchor.createdAt` to a binding-safe `Date` once and reuse the same instance across all four cursor comparisons (`gt` / `lt` / `eq`) - `server/src/__tests__/issues-service.test.ts` — add an ascending-cursor sibling test so both `gt` and `lt` cursor paths are exercised; the existing descending test continues to pass ## Verification ```bash # Both cursor branches pnpm --filter @paperclipai/server exec vitest run \ src/__tests__/issues-service.test.ts -t "anchor comment" # → 2 passed, 41 skipped # Production smoke curl -s "$PAPERCLIP_API_URL/api/issues/<issueId>/comments?after=<commentId>&order=asc" \ -H "Authorization: Bearer $PAPERCLIP_API_KEY" # Expect: JSON array, no 500 TypeError ``` ## Risks - Low risk. Pure cursor-pagination internals in `listComments`; no schema, migration, or external contract changes - Drizzle's `gt`/`lt`/`eq` continue to receive a `Date` for the timestamp column, producing the same bound parameter as before - Behavioural surface is exercised by ascending + descending cursor tests against a real Postgres test database ## Model Used - Claude Opus 4.7 (`claude-opus-4-7`), no extended-thinking mode, used for the hoist+test follow-up commit ## Fixes Closes #2612, Closes #3661, Closes #3830 ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots — n/a, backend-only - [x] I have updated relevant documentation to reflect my changes — n/a, no docs touched - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Elena Voronova <elena@paperclip.ing> Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Devin Foley <devin@devinfoley.com> |
||
|
|
edeab22c28 |
Merge pull request #7362 from paperclipai/pap-10195-dev-runner-race
[codex] Fix dev runner snapshot race |
||
|
|
6460ea2616 |
Merge pull request #7360 from paperclipai/pap-10195-pwa-controls
[codex] Add standalone PWA browser controls |
||
|
|
89db3393f1 |
Merge pull request #7361 from paperclipai/pap-10195-attachment-previews
[codex] Render rich issue attachment previews |
||
|
|
2997a47fec |
Guard markdown filename previews by content type
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
fbfac2ff22 | fix(ui): type standalone controls test shim | ||
|
|
a18776c627 |
Narrow IssueDetail hook-order warning assertion
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
4aa6a22686 | fix(ui): initialize standalone controls synchronously | ||
|
|
dc58544832 | Address dev runner snapshot review feedback | ||
|
|
0da56d780f |
Align attachment video detection with server
Co-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
3f80d7cd25 | test(ui): cover chromeless display modes | ||
|
|
cfcdf2dea9 | fix(ui): align PWA display-mode listeners | ||
|
|
8f25ba6381 | Add dev runner snapshot race regression test |