There are a few vulnerabilities reported with:
```
npx pnpm audit
...
6 vulnerabilities found
Severity: 2 moderate | 3 high | 1 critical
```
Fix them by upgrading.
Backport #36039 by @lunny
Fix#36026
The redirect should be checked when original user/repo doesn't exist.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36078 by @a1012112796
fix#36071
looks that's because if an svg in hiden env, it's color added by
`fill="url(#a)"` will become not usefull. by ai helping, I think moving
it out of page by position is a good solution. fell free creat a new
pull request if you have a better soluton. Thanks.
<img width="2198" height="1120" alt="image"
src="https://github.com/user-attachments/assets/bbf7c171-0b7f-412a-a1bc-aea3f1629636"
/>
Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: a1012112796 <1012112796@qq.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #36055 by @lunny
Replace #36032Fix#36030
This PR use `net/smtp` instead of gomail's smtp. Now
github.com/wneessen/go-mail will be used only for generating email
message body.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36068 by @lunny
Follow #36058 for API edit user bug when editing email.
- The Admin Edit User API includes a breaking change. Previously, when
updating a user with an email from an unallowed domain, the request
would succeed but return a warning in the response headers. Now, the
request will fail and return an error in the response body instead.
- Removed `AdminAddOrSetPrimaryEmailAddress` because it will not be used
any where.
Fix https://github.com/go-gitea/gitea/pull/36058#issuecomment-3600005186
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36058 by @lunny
Fix#20390
We should use `ReplacePrimaryEmailAddress` instead of
`AdminAddOrSetPrimaryEmailAddress` when modify user's email from admin
panel. And also we need a database transaction to keep deletion and
insertion succeed at the same time.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36045
Partially fix#34710
The bug described in #34710 can be divided into two parts: `push.paths`
and `pull_request.paths`. This PR fixes the issue related to
`pull_request.paths`. The root cause is that the check for whether the
workflow can be triggered happens **before** updating the PR’s merge
base. This causes the file-change detection to use the old merge base.
Therefore, we need to update the merge base first and then check whether
the workflow can be triggered.
Backport #36041 by @hamkido
- Updated error message in `incoming.go` to remove unnecessary wrapping
of the error.
- Corrected typo in error message in `wiki.go` for clarity.
Co-authored-by: hamkido <hamki.do2000@gmail.com>
Backport #36021 by wxiaoguang
1. the `if` check in `handleCreateManifestResult` didn't handler err
correctly
2. add more error details for debugging
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #35967 by @DrMaxNix
Consistently use a `star` icon to highlight the default column of a
project.
The icon is both shown while viewing the project, as well as while
changing the default status of this column.
<img width="1065" height="370" alt="image"
src="https://github.com/user-attachments/assets/1ca5773d-8eec-4b90-ad0b-22b1f4bd4cfd"
/>
Co-authored-by: DrMaxNix <git@drmaxnix.de>
Backport #35897 by lutinglt
Typically, you want to download the binaries, not the source code.
Co-authored-by: 鲁汀 <131967983+lutinglt@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #35876 by @silverwind
1. Set a fixed height on the element, preventing the content after the
element from shifting on page load. This uses CSS [container query
length
units](https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_containment/Container_queries#container_query_length_units)
as I saw no other way because of the non-linear scaling of the element.
2. Move the "total-contributions" text into the existing vue slot,
eliminating the need for absolute positioning.
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #35861 by @divyun
Since 1.25.0, the dates get set to `2001-01-01T00:00:00Z`, when not
specified by the caller.
Fixes#35860
Co-authored-by: Divyun Raje Vaid <mail@divyun.com>
Backport #35840#35783 fixes an actions rerun bug. Due to this bug, some runs may be
incorrectly marked as `StatusWaiting` even though all the jobs are in
done status. These runs cannot be run or cancelled. This PR adds a new
doctor command to fix the inconsistent run status.
```
gitea doctor check --run fix-actions-unfinished-run-status --fix
```
Fix#35781, #27472
Backport #35819
The PR will not correct the wrong numbers automatically.
There is a cron task `check_repo_stats` which will be run when Gitea
start or midnight. It will correct the numbers.
Backport #35793 by @silverwind
During https://github.com/go-gitea/gitea/issues/35790, it was noticed
that this PNG image had the wrong file extension. I also verified
`dingtalk.ico` and that one is actually an `.ico`.
Co-authored-by: silverwind <me@silverwind.io>
Backport #35783Fix#35780, fix#35782
Rerunning a job or a run is only allowed when the job is done and the
run is done.
Related PR: #3497098ff7d0773/routers/web/repo/actions/view.go (L239)
We don't need to check run status again in `rerunJob` because the run
status has been changed before `rerunJob`.
---
In fact, the bug described in the above issues will not occur on the
main branch. Because `getRunJobs` is called before updating the run.
98ff7d0773/routers/web/repo/actions/view.go (L425-L435)
So the run status that `rerunJob` checks is the old status.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
