- Update to version 11.0.7:
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits
OBS-URL: https://build.opensuse.org/request/show/1313901
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=5
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=8
- update to version 11.0.6:
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* chore: build-release must close the cascading pull request
- update to version 11.0.5:
* Update dependency mermaid to v11.10.0
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 11.0.4:
* fix: validate CSRF on non-safe methods All PUT/DELETE routes
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has
permissions to view the new owner
OBS-URL: https://build.opensuse.org/request/show/1306122
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=3
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* chore: build-release must close the cascading pull request
- update to version 11.0.5:
* Update dependency mermaid to v11.10.0
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 11.0.4:
* fix: validate CSRF on non-safe methods All PUT/DELETE routes
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has
permissions to view the new owner
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=6
- update to 11.0.3:
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field
- Update to 11.0.2:
* Features
- make Forgejo Actions server logs less noisy
* Bug fixes
- do not fail when release or wiki is set in /repos/migrate API
- ignore expired artifacts for quota calculation
- pull request cross references
- quote reply in Chromium
- fix: make hash pattern more strict
* Included for completeness but not worth a release note
- remove download attribute from external assets
- bleve to v2.5.2 with changes made in backport of 2.5.0
- show membership of limited orgs
- date dependency go to v1.24.3 (v11.0/forgejo)
- drop unused @typescript-eslint/parser package
- suppress non actionable XORM warnings
- aggregate deleted team as ghost team
- center footer links
OBS-URL: https://build.opensuse.org/request/show/1295902
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=2
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field
- Update to 11.0.2:
* Features
- make Forgejo Actions server logs less noisy
* Bug fixes
- do not fail when release or wiki is set in /repos/migrate API
- ignore expired artifacts for quota calculation
- pull request cross references
- quote reply in Chromium
- fix: make hash pattern more strict
* Included for completeness but not worth a release note
- remove download attribute from external assets
- bleve to v2.5.2 with changes made in backport of 2.5.0
- show membership of limited orgs
- date dependency go to v1.24.3 (v11.0/forgejo)
- drop unused @typescript-eslint/parser package
- suppress non actionable XORM warnings
- aggregate deleted team as ghost team
- center footer links
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=5
