- Update to version 11.0.10:
* fix: add forgejo doctor cleanup-commit-status command
* fix: correctly compute required commit status
* chore: correct spelling error in cleanup-commit-status CLI docs
- Update to version 11.0.9:
* fix: hide user profile anonymous options on public repo APIs
* fix: incorrect whitespace handling on pre&post receive hooks
* fix: reduce memory usage while processing large attachment uploads
* fix: load reviewer for pull review dismiss action notifier
* fix: use correct GPG key for export
* fix: don't duplicate commit status records on workflows with empty name
* fix: build-release workflow stops its own end-to-end checks when run concurrently
* fix: password leak in log messages
OBS-URL: https://build.opensuse.org/request/show/1330179
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=7
- Update to version 11.0.10:
* fix: add forgejo doctor cleanup-commit-status command
* fix: correctly compute required commit status
* chore: correct spelling error in cleanup-commit-status CLI docs
- Update to version 11.0.9:
* fix: hide user profile anonymous options on public repo APIs
* fix: incorrect whitespace handling on pre&post receive hooks
* fix: reduce memory usage while processing large attachment uploads
* fix: load reviewer for pull review dismiss action notifier
* fix: use correct GPG key for export
* fix: don't duplicate commit status records on workflows with empty name
* fix: build-release workflow stops its own end-to-end checks when run concurrently
* fix: password leak in log messages
OBS-URL: https://build.opensuse.org/request/show/1330158
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=11
- Update to version 11.0.8:
* fix(api): fix dependency repo perms in Create/RemoveIssueDependency
* fix(api): draft releases could be read before being published
* misconfigured security checks on tag delete web form
* incorrect logic in "Update PR" did not enforce head branch protection rules correctly
* issue owner can delete another user's comment's edit history on same issue
* tag protection rules can be bypassed during tag delete operation
* fix: frontend-checks failure
* feat: Replace mholt/archiver/v3 with mholt/archives
- remove patches fix-CVE-2025-47911.patch and fix-CVE-2025-58190.patch,
fixed upstream
OBS-URL: https://build.opensuse.org/request/show/1321399
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=6
- Update to version 11.0.8:
* fix dependency repo perms in Create/RemoveIssueDependency
* draft releases could be read before being published
* misconfigured security checks on tag delete web form
* incorrect logic in "Update PR" did not enforce head branch protection rules
correctly
* issue owner can delete another user's comment's edit history on same issue
* tag protection rules can be bypassed during tag delete operation
* fix: support git clone when /tmp has noexec
* fix: get new session from enginegroup instead of masterengine
* fix: endless redirection loop between /user/settings/change_password and
/user/settings/security
* fix(alt): handle package names with dots in ALT repository
* fix: pull request review comment position
* fix: less restrictive matrix room_id pattern
* fix: add required headers to Pagure migration
* fix: prevent orgs from being added as members of orgs
* fix(api): set all hook event types
* fix: don't show ConEmu OSC escape sequences
* fix: set tag message on tag addition
* fix: construct project links in timeline better
- remove patches fix-CVE-2025-47911.patch and fix-CVE-2025-58190.patch,
fixed upstream
OBS-URL: https://build.opensuse.org/request/show/1321394
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=9
- Update to version 11.0.7:
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits
OBS-URL: https://build.opensuse.org/request/show/1313901
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=5
- Update to version 11.0.7:
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits
OBS-URL: https://build.opensuse.org/request/show/1313900
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=8
- update to version 11.0.6:
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* chore: build-release must close the cascading pull request
- update to version 11.0.5:
* Update dependency mermaid to v11.10.0
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 11.0.4:
* fix: validate CSRF on non-safe methods All PUT/DELETE routes
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has
permissions to view the new owner
OBS-URL: https://build.opensuse.org/request/show/1306122
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=3
- update to version 11.0.6:
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* chore: build-release must close the cascading pull request
- update to version 11.0.5:
* Update dependency mermaid to v11.10.0
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 11.0.4:
* fix: validate CSRF on non-safe methods All PUT/DELETE routes
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has
permissions to view the new owner
OBS-URL: https://build.opensuse.org/request/show/1306121
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=6
- update to 11.0.3:
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field
- Update to 11.0.2:
* Features
- make Forgejo Actions server logs less noisy
* Bug fixes
- do not fail when release or wiki is set in /repos/migrate API
- ignore expired artifacts for quota calculation
- pull request cross references
- quote reply in Chromium
- fix: make hash pattern more strict
* Included for completeness but not worth a release note
- remove download attribute from external assets
- bleve to v2.5.2 with changes made in backport of 2.5.0
- show membership of limited orgs
- date dependency go to v1.24.3 (v11.0/forgejo)
- drop unused @typescript-eslint/parser package
- suppress non actionable XORM warnings
- aggregate deleted team as ghost team
- center footer links
OBS-URL: https://build.opensuse.org/request/show/1295902
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo-longterm?expand=0&rev=2
- update to 11.0.3:
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field
- Update to 11.0.2:
* Features
- make Forgejo Actions server logs less noisy
* Bug fixes
- do not fail when release or wiki is set in /repos/migrate API
- ignore expired artifacts for quota calculation
- pull request cross references
- quote reply in Chromium
- fix: make hash pattern more strict
* Included for completeness but not worth a release note
- remove download attribute from external assets
- bleve to v2.5.2 with changes made in backport of 2.5.0
- show membership of limited orgs
- date dependency go to v1.24.3 (v11.0/forgejo)
- drop unused @typescript-eslint/parser package
- suppress non actionable XORM warnings
- aggregate deleted team as ghost team
- center footer links
OBS-URL: https://build.opensuse.org/request/show/1295899
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo-longterm?expand=0&rev=5
