Fixed the API migration endpoint to set opts.OriginalURL from form.CloneAddr, ensuring consistency with the web route and preventing empty URL in system notices. Removed the TODO comment since OriginalURL is now always populated.
Since CloneAddr is a required field (binding:"Required"), OriginalURL will always be non-empty when the API validation passes.
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Added TODO comment before the migration failure notice to document that opts.OriginalURL can be empty when migration is triggered via the API route, which doesn't set this field. The comment also suggests potential solutions.
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Check if opts.OriginalURL is empty and adapt the notice message accordingly to avoid printing "from failed" when OriginalURL is not set (e.g., when using the API).
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
## Breaking Changes
None expected. This is a minor toolchain patch update.
Followup to
59f812bc1c,
enforce using our localStorage wrapper in eslint.
Also did a few tweaks in the eslint config, like removing the incomplete
list of globals, this is a non-issue with typescript.
---------
Signed-off-by: silverwind <me@silverwind.io>
In Git 2.38, the `merge-tree` command introduced the `--write-tree`
option, which works directly on bare repositories. In Git 2.40, a new parameter `--merge-base` introduced so we require Git 2.40 to use the merge tree feature.
This option produces the merged tree object ID, allowing us to perform
diffs between commits without creating a temporary repository. By
avoiding the overhead of setting up and tearing down temporary repos,
this approach delivers a notable performance improvement.
It also fixes a possible situation that conflict files might be empty
but it's a conflict status according to
https://git-scm.com/docs/git-merge-tree#_mistakes_to_avoid
Replace #35542
---------
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/36175
1. Correctly apply setting on textareas spawned by comment edit
3. When changing the setting, apply it to all textareas on the current page
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
For when Enry correctly recognized the language, but returns the
language name in a way that isn't recognized by chroma.
Resolves https://github.com/go-gitea/gitea/issues/22443
---------
Co-authored-by: Moritz Jörg <moritz.jorg@oceanbox.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This adds [knip](https://github.com/webpro-nl/knip), a tool to find
unused files, dependencies and exports in JS. Fixed all discovered
issues.
1. knip apparently has some issue resolving imports from `d.ts` to `.ts`
so I worked around it by moving the two affected types to where they are
used.
2. I don't know why `modules/fomantic/dropdown.ts` had a new typescript
error, but I fixed it.
3. Use named export for `EsbuildPlugin`, I think this was added
recently.
Updates all dependencies in `Makefile`. The go fix was done
automatically, I just altered the variable name.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1. Upgrade to [jQuery
4.0](https://blog.jquery.com/2026/01/17/jquery-4-0-0/). Two of the
removed APIs are in use by fomantic, but there are [polyfills
present](a3a3e581aa/web_src/fomantic/build/components/dropdown.js (L15-L17))
so it continues to work.
2. Remove manual naming of webpack chunks. I was running into below
webpack error and I see no reason for this manual chunk naming which is
prone to naming collisions. Also, the webpack build now shows all output
assets. This change will result in longer asset filenames, but webpack
should now be able to guarentee that the names are without collisions.
````
ERROR in SplitChunksPlugin
Cache group "defaultVendors" conflicts with existing chunk.
Both have the same name "--------" and existing chunk is not a parent of
the selected modules.
Use a different name for the cache group or make sure that the existing
chunk is a parent (e. g. via dependOn).
HINT: You can omit "name" to automatically create a name.
BREAKING CHANGE: webpack < 5 used to allow to use an entrypoint as
splitChunk. This is no longer allowed when the entrypoint is not a
parent of the selected modules.
Remove this entrypoint and add modules to cache group's 'test' instead.
If you need modules to be evaluated on startup, add them to the existing
entrypoints (make them arrays). See migration guide of more info.
3. Fix test issue related to `p > div` which is invalid as per HTML spec
because `div` is not [phrasing
content](https://html.spec.whatwg.org/multipage/dom.html#phrasing-content-2)
and therefor can not be a descendant of `p`. This is related to
https://github.com/capricorn86/happy-dom/pull/2007.
4. Add webpack globals
5. Remove obsolete docs glob
6. fix security issue for `seroval` package
7. disable [vitest isolate](https://vitest.dev/config/isolate.html) for
30% faster JS tests, which are all pure.
## Summary
This PR fixes#36255
The image captcha was using random colors which often resulted in poor
contrast against dark backgrounds, making it difficult or impossible for
users to read in dark mode.
## Changes
- Added a custom color palette to the image captcha configuration in
`services/context/captcha.go`
- The palette uses high-contrast colors (bright red, blue, green,
yellow, purple, and dark blue-gray) that provide good visibility in both
light and dark themes
- This improves accessibility and user experience without changing any
existing functionality
## Testing
- Builds successfully
- All existing tests pass
- The color palette is properly supported by the upstream
`gitea.com/go-chi/captcha` library
---
Generated with Claude Code
---------
Signed-off-by: majiayu000 <1835304752@qq.com>
Co-authored-by: silverwind <me@silverwind.io>
Resolves#36381 by only allowing admins to perform branch renames that
match to branch protection rules.
---------
Co-authored-by: Giteabot <teabot@gitea.io>
1. Remove those checks for the sake of build performance and because go
and node will fail anyways if their versions are incorrect.
3. Support pre-release Node version for determining NODE_VARS.
2. Update to the chinese READMEs to mention `pnpm` which is already
present in english README.
---------
Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Most potential deadlock problems should have been fixed, and new code is
unlikely to cause new problems with the new design.
Also raise the minimum Git version required to 2.6.0 (released in 2015)
### Summary
Fix incorrect newline handling in markdown editor when using IME input.
### Details
While composing text with an IME, pressing Enter should not trigger
markdown indentation logic.
This change skips indentation handling during composition by checking
`e.isComposing`.
This prevents unexpected line breaks and formatting issues for CJK
users.
Maybe fix#32018
- Use `gitrepo.GetMergeBase` method instead of other two
implementations.
- Add `FetchRemoteCommit` so that we don't need to add many `remote` to
the git repository to avoid possible git lock conflicts. A lock will
start when invoke the function, it will be invoked when cross-repository
comparing. The head repository will fetch the base repository's base
commit id. In most situations, it should lock the fork repositories so
that it should not become a bottleneck.
- Improve `GetCompareInfo` to remove unnecessarily adding remote.
- Remove unnecessary parameters of `SignMerge`.
