diff --git a/forgejo-src-9.0.1.tar.gz b/forgejo-src-9.0.1.tar.gz
deleted file mode 100644
index d4bb5df..0000000
--- a/forgejo-src-9.0.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6748c49677374947eb619b13f9ede983682ae117b8c0405442cc9afc847c4040
-size 53961959
diff --git a/forgejo-src-9.0.1.tar.gz.asc b/forgejo-src-9.0.1.tar.gz.asc
deleted file mode 100644
index 69202ca..0000000
--- a/forgejo-src-9.0.1.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZx+nywAKCRCkthotxZI3
-ENlLAQCGXdYLfhCxIU8bKx+n2hvTvkbJPmPxs7FVhDtggAuq5gEAxubIGrthDqw9
-Qr9g7bvuMR7solGMkjzsB73IHqMsXwU=
-=g0qb
------END PGP SIGNATURE-----
diff --git a/forgejo-src-9.0.2.tar.gz b/forgejo-src-9.0.2.tar.gz
new file mode 100644
index 0000000..a2f62c1
--- /dev/null
+++ b/forgejo-src-9.0.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4de691751256e75258573815f14406905999e991c1d9790c6069dfef47319e1d
+size 53992927
diff --git a/forgejo-src-9.0.2.tar.gz.asc b/forgejo-src-9.0.2.tar.gz.asc
new file mode 100644
index 0000000..146e78a
--- /dev/null
+++ b/forgejo-src-9.0.2.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZzeoLwAKCRCkthotxZI3
+EH4iAP9XuioervFeW/MxfUHj1/zL2knDYYZAKnuWcPi19BytYwEA3KxcVlrvTgWL
+oZBSoqn0BWtIkmlOtRxDxu8mBGXrRgw=
+=/4OE
+-----END PGP SIGNATURE-----
diff --git a/forgejo.changes b/forgejo.changes
index 377b37d..f726a44 100644
--- a/forgejo.changes
+++ b/forgejo.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Sat Nov 16 03:16:51 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.2:
+  * it was possible to use a token sent via email for secondary email validation
+    to reset the password instead. In other words, a token sent for a given
+    action (registration, password reset or secondary email validation) could
+    be used to perform a different action.
+  * a fork of a public repository would show in the list of forks, even if its
+    owner was not a public user or organization.
+  * the members of an organization team with read access to a repository (e.g.
+    to read issues) but no read access to the code could read the RSS or atom
+    feeds which include the commit activity. Reading the RSS or atom feeds is
+    now denied unless the team has read permissions on the code.
+  * the tokens used when replying by email to issues or pull requests were
+    weaker than the rfc2104 recommendations.
+  * a registered user could modify the update frequency of any push mirror.
+  * it was possible to use basic authorization (i.e. user:password) for requests
+    to the API even when security keys were enrolled for a user.
+  * some markup sanitation rules were not as strong as they could be.
+  * when Forgejo is configured to enable instance wide search (e.g. with bleve),
+    results found in the repositories of private or limited users were displayed
+    to anonymous visitors.
+  * fix: handle renamed dependency for cargo registry.
+  * support www.github.com for migrations.
+  * move forgot_password-link to fix login tab order.
+  * code owners will not be mentioned when a pull request comes from a forked
+    repository.
+  * labels are missing in the pull request payload removing a label.
+  * in a Forgejo Actions workflow, the unlabeled event type for pull requests
+    was incorrectly mapped to the labeled event type.
+  * when a Forgejo Actions issue or pull request workflow is triggered by an
+    labeled or unlabeled event type, it misses information about the label added
+    or removed. It is now available in the label data member of the event payload.
+  * pull request workflow must always update the head SHA commit status.
+  * fix git-grep for code search when git version is below 2.38.
+
 -------------------------------------------------------------------
 Mon Oct 28 17:09:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
 
diff --git a/forgejo.spec b/forgejo.spec
index 3060fdc..2db7cc1 100644
--- a/forgejo.spec
+++ b/forgejo.spec
@@ -30,7 +30,7 @@
 %endif
 %endif
 Name:           forgejo
-Version:        9.0.1
+Version:        9.0.2
 Release:        0
 Summary:        Self-hostable forge
 License:        GPL-3.0-or-later
diff --git a/node_modules.obscpio b/node_modules.obscpio
index 3d43cf4..afe477f 100644
--- a/node_modules.obscpio
+++ b/node_modules.obscpio
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b424002185eb0cfdfd4595ae155c0b8ab1574bc92c67bcaedeca2bdecd78fe89
-size 210358804
+oid sha256:7ecfba8aaa664b93f3a42e279ada2e5082e0d8d2bd0056b5f2faca7e34abc920
+size 210595124
diff --git a/node_modules.spec.inc b/node_modules.spec.inc
index 032490a..a7da208 100644
--- a/node_modules.spec.inc
+++ b/node_modules.spec.inc
@@ -652,7 +652,7 @@ Source10650:         https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11
 Source10651:         https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz#/graphemer-1.4.0.tgz
 Source10652:         https://registry.npmjs.org/hachure-fill/-/hachure-fill-0.5.2.tgz#/hachure-fill-0.5.2.tgz
 Source10653:         https://registry.npmjs.org/hammerjs/-/hammerjs-2.0.8.tgz#/hammerjs-2.0.8.tgz
-Source10654:         https://registry.npmjs.org/happy-dom/-/happy-dom-15.7.4.tgz#/happy-dom-15.7.4.tgz
+Source10654:         https://registry.npmjs.org/happy-dom/-/happy-dom-15.10.2.tgz#/happy-dom-15.10.2.tgz
 Source10655:         https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz#/has-bigints-1.0.2.tgz
 Source10656:         https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz#/has-flag-3.0.0.tgz
 Source10657:         https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz#/has-flag-4.0.0.tgz
diff --git a/package-lock.json b/package-lock.json
index 177824d..2fed43f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -84,7 +84,7 @@
         "eslint-plugin-vue": "9.28.0",
         "eslint-plugin-vue-scoped-css": "2.8.1",
         "eslint-plugin-wc": "2.1.1",
-        "happy-dom": "15.7.4",
+        "happy-dom": "15.10.2",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.41.0",
         "postcss-html": "1.7.0",
@@ -10088,9 +10088,9 @@
       }
     },
     "node_modules/happy-dom": {
-      "version": "15.7.4",
-      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-15.7.4.tgz",
-      "integrity": "sha512-r1vadDYGMtsHAAsqhDuk4IpPvr6N8MGKy5ntBo7tSdim+pWDxus2PNqOcOt8LuDZ4t3KJHE+gCuzupcx/GKnyQ==",
+      "version": "15.10.2",
+      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-15.10.2.tgz",
+      "integrity": "sha512-NbA5XrSovenJIIcfixCREX3ZnV7yHP4phhbfuxxf4CPn+LZpz/jIM9EqJ2DrPwgVDSMoAKH3pZwQvkbsSiCrUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {