Accepting request 1224537 from devel:tools:scm

- update to 9.0.2:
  * it was possible to use a token sent via email for secondary email validation
    to reset the password instead. In other words, a token sent for a given
    action (registration, password reset or secondary email validation) could
    be used to perform a different action.
  * a fork of a public repository would show in the list of forks, even if its
    owner was not a public user or organization.
  * the members of an organization team with read access to a repository (e.g.
    to read issues) but no read access to the code could read the RSS or atom
    feeds which include the commit activity. Reading the RSS or atom feeds is
    now denied unless the team has read permissions on the code.
  * the tokens used when replying by email to issues or pull requests were
    weaker than the rfc2104 recommendations.
  * a registered user could modify the update frequency of any push mirror.
  * it was possible to use basic authorization (i.e. user:password) for requests
    to the API even when security keys were enrolled for a user.
  * some markup sanitation rules were not as strong as they could be.
  * when Forgejo is configured to enable instance wide search (e.g. with bleve),
    results found in the repositories of private or limited users were displayed
    to anonymous visitors.
  * fix: handle renamed dependency for cargo registry.
  * support www.github.com for migrations.
  * move forgot_password-link to fix login tab order.
  * code owners will not be mentioned when a pull request comes from a forked
    repository.
  * labels are missing in the pull request payload removing a label.
  * in a Forgejo Actions workflow, the unlabeled event type for pull requests
    was incorrectly mapped to the labeled event type.
  * when a Forgejo Actions issue or pull request workflow is triggered by an
    labeled or unlabeled event type, it misses information about the label added (forwarded request 1224536 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1224537
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=19

forgejo-src-9.0.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6748c49677374947eb619b13f9ede983682ae117b8c0405442cc9afc847c4040
-size 53961959

forgejo-src-9.0.1.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZx+nywAKCRCkthotxZI3
-ENlLAQCGXdYLfhCxIU8bKx+n2hvTvkbJPmPxs7FVhDtggAuq5gEAxubIGrthDqw9
-Qr9g7bvuMR7solGMkjzsB73IHqMsXwU=
-=g0qb
------END PGP SIGNATURE-----

forgejo-src-9.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4de691751256e75258573815f14406905999e991c1d9790c6069dfef47319e1d
+size 53992927

forgejo-src-9.0.2.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZzeoLwAKCRCkthotxZI3
+EH4iAP9XuioervFeW/MxfUHj1/zL2knDYYZAKnuWcPi19BytYwEA3KxcVlrvTgWL
+oZBSoqn0BWtIkmlOtRxDxu8mBGXrRgw=
+=/4OE
+-----END PGP SIGNATURE-----

forgejo.changes

@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Sat Nov 16 03:16:51 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.2:
+  * it was possible to use a token sent via email for secondary email validation
+    to reset the password instead. In other words, a token sent for a given
+    action (registration, password reset or secondary email validation) could
+    be used to perform a different action.
+  * a fork of a public repository would show in the list of forks, even if its
+    owner was not a public user or organization.
+  * the members of an organization team with read access to a repository (e.g.
+    to read issues) but no read access to the code could read the RSS or atom
+    feeds which include the commit activity. Reading the RSS or atom feeds is
+    now denied unless the team has read permissions on the code.
+  * the tokens used when replying by email to issues or pull requests were
+    weaker than the rfc2104 recommendations.
+  * a registered user could modify the update frequency of any push mirror.
+  * it was possible to use basic authorization (i.e. user:password) for requests
+    to the API even when security keys were enrolled for a user.
+  * some markup sanitation rules were not as strong as they could be.
+  * when Forgejo is configured to enable instance wide search (e.g. with bleve),
+    results found in the repositories of private or limited users were displayed
+    to anonymous visitors.
+  * fix: handle renamed dependency for cargo registry.
+  * support www.github.com for migrations.
+  * move forgot_password-link to fix login tab order.
+  * code owners will not be mentioned when a pull request comes from a forked
+    repository.
+  * labels are missing in the pull request payload removing a label.
+  * in a Forgejo Actions workflow, the unlabeled event type for pull requests
+    was incorrectly mapped to the labeled event type.
+  * when a Forgejo Actions issue or pull request workflow is triggered by an
+    labeled or unlabeled event type, it misses information about the label added
+    or removed. It is now available in the label data member of the event payload.
+  * pull request workflow must always update the head SHA commit status.
+  * fix git-grep for code search when git version is below 2.38.
+
 -------------------------------------------------------------------
 Mon Oct 28 17:09:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
 

forgejo.spec

@@ -30,7 +30,7 @@
 %endif
 %endif
 Name:           forgejo
-Version:        9.0.1
+Version:        9.0.2
 Release:        0
 Summary:        Self-hostable forge
 License:        GPL-3.0-or-later

node_modules.obscpio

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b424002185eb0cfdfd4595ae155c0b8ab1574bc92c67bcaedeca2bdecd78fe89
-size 210358804
+oid sha256:7ecfba8aaa664b93f3a42e279ada2e5082e0d8d2bd0056b5f2faca7e34abc920
+size 210595124

node_modules.spec.inc

@@ -652,7 +652,7 @@ Source10650:         https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11
 Source10651:         https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz#/graphemer-1.4.0.tgz
 Source10652:         https://registry.npmjs.org/hachure-fill/-/hachure-fill-0.5.2.tgz#/hachure-fill-0.5.2.tgz
 Source10653:         https://registry.npmjs.org/hammerjs/-/hammerjs-2.0.8.tgz#/hammerjs-2.0.8.tgz
-Source10654:         https://registry.npmjs.org/happy-dom/-/happy-dom-15.7.4.tgz#/happy-dom-15.7.4.tgz
+Source10654:         https://registry.npmjs.org/happy-dom/-/happy-dom-15.10.2.tgz#/happy-dom-15.10.2.tgz
 Source10655:         https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz#/has-bigints-1.0.2.tgz
 Source10656:         https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz#/has-flag-3.0.0.tgz
 Source10657:         https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz#/has-flag-4.0.0.tgz

package-lock.json

@@ -84,7 +84,7 @@
         "eslint-plugin-vue": "9.28.0",
         "eslint-plugin-vue-scoped-css": "2.8.1",
         "eslint-plugin-wc": "2.1.1",
-        "happy-dom": "15.7.4",
+        "happy-dom": "15.10.2",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.41.0",
         "postcss-html": "1.7.0",
@@ -10088,9 +10088,9 @@
       }
     },
     "node_modules/happy-dom": {
-      "version": "15.7.4",
-      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-15.7.4.tgz",
-      "integrity": "sha512-r1vadDYGMtsHAAsqhDuk4IpPvr6N8MGKy5ntBo7tSdim+pWDxus2PNqOcOt8LuDZ4t3KJHE+gCuzupcx/GKnyQ==",
+      "version": "15.10.2",
+      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-15.10.2.tgz",
+      "integrity": "sha512-NbA5XrSovenJIIcfixCREX3ZnV7yHP4phhbfuxxf4CPn+LZpz/jIM9EqJ2DrPwgVDSMoAKH3pZwQvkbsSiCrUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {