- update to 9.0.2:
* it was possible to use a token sent via email for secondary email validation
to reset the password instead. In other words, a token sent for a given
action (registration, password reset or secondary email validation) could
be used to perform a different action.
* a fork of a public repository would show in the list of forks, even if its
owner was not a public user or organization.
* the members of an organization team with read access to a repository (e.g.
to read issues) but no read access to the code could read the RSS or atom
feeds which include the commit activity. Reading the RSS or atom feeds is
now denied unless the team has read permissions on the code.
* the tokens used when replying by email to issues or pull requests were
weaker than the rfc2104 recommendations.
* a registered user could modify the update frequency of any push mirror.
* it was possible to use basic authorization (i.e. user:password) for requests
to the API even when security keys were enrolled for a user.
* some markup sanitation rules were not as strong as they could be.
* when Forgejo is configured to enable instance wide search (e.g. with bleve),
results found in the repositories of private or limited users were displayed
to anonymous visitors.
* fix: handle renamed dependency for cargo registry.
* support www.github.com for migrations.
* move forgot_password-link to fix login tab order.
* code owners will not be mentioned when a pull request comes from a forked
repository.
* labels are missing in the pull request payload removing a label.
* in a Forgejo Actions workflow, the unlabeled event type for pull requests
was incorrectly mapped to the labeled event type.
* when a Forgejo Actions issue or pull request workflow is triggered by an
labeled or unlabeled event type, it misses information about the label added (forwarded request 1224536 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1224537
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=19
- update to 9.0.1:
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later (forwarded request 1218912 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1218913
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=18
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=43
- update to 9.0.0:
* OIDC integrations that POST to /login/oauth/introspect without sending HTTP
basic authentication will now fail
* The public scope of an application token does not filter out private repositories,
organizations or packages in some cases
* Drop support to build Forgejo with the optional go-git Git backend
* Set created_by as the default filter for /issues and /pulls
* Set fuzzy as default for issue search.
* Improve commit graph layout.
* Add support for iconify icons.
* Allow multi-line relationship labels.
* Adds architecture diagrams which allows users to show relations between services.
* Improve diffs generated by Forgejo.
* Add rel="nofollow" to in-list labels.
* Distinguish between new tags, releases and pre-releases on activity page.
* Highlighted code search results.
* Refactor repo migration items.
* Add package counter to repo/user/org overview pages.
* Replace vue-bar-graph with chart.js.
* Add more emoji and code block rendering in issues.
* Bad spacing on new release page.
* Milestone assignment in new issue.
* git-grep: ensure bounded default for MatchesPerFile.
* Incorrect go to citation button.
* Incorrect HTMX support for profile card.
* Accessibility keyboard support for test actions.
* Update pull request icons.
* "Assign to me" button on PR and Issues.
* Add architecture-specific removal support for arch package.
* Add bin to Composer Metadata. (forwarded request 1208670 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1208671
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=17
* OIDC integrations that POST to /login/oauth/introspect without sending HTTP
basic authentication will now fail
* The public scope of an application token does not filter out private repositories,
organizations or packages in some cases
* Drop support to build Forgejo with the optional go-git Git backend
* Set created_by as the default filter for /issues and /pulls
* Set fuzzy as default for issue search.
* Improve commit graph layout.
* Add support for iconify icons.
* Allow multi-line relationship labels.
* Adds architecture diagrams which allows users to show relations between services.
* Improve diffs generated by Forgejo.
* Add rel="nofollow" to in-list labels.
* Distinguish between new tags, releases and pre-releases on activity page.
* Highlighted code search results.
* Refactor repo migration items.
* Add package counter to repo/user/org overview pages.
* Replace vue-bar-graph with chart.js.
* Add more emoji and code block rendering in issues.
* Bad spacing on new release page.
* Milestone assignment in new issue.
* git-grep: ensure bounded default for MatchesPerFile.
* Incorrect go to citation button.
* Incorrect HTMX support for profile card.
* Accessibility keyboard support for test actions.
* Update pull request icons.
* "Assign to me" button on PR and Issues.
* Add architecture-specific removal support for arch package.
* Add bin to Composer Metadata.
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=41
- update to 8.0.2:
* Overflow for images on project cards.
* Allow unreacting from comment popover.
* The scope of application tokens is not verified when writing
containers or Conan packages.
* When a Forgejo Actions workflow includes a workflow_dispatch with
inputs and other events (for instance push), it is silently ignored
because of a parsing error.
* Automerge on AGit pull requests is ignored.
* Show lock owner instead of repo owner on LFS setting page.
* Render plain text file if the LFS object doesn't exist.
* Panic of ssh public key page after deletion of an auth source.
* Add missing repository type filter parameters to pager.
* Reverted a change from Gitea which prevented allow/reject reviews on
merged or closed PRs. This change was not considered by the Forgejo
UI team and there is a consensus that it feels like a regression,
since it interferes with workflows known to be used by Forgejo users
without providing a tangible benefit.
* Run full PR checks on AGit push.
* Updated translations (forwarded request 1197494 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1197495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=14
* Overflow for images on project cards.
* Allow unreacting from comment popover.
* The scope of application tokens is not verified when writing
containers or Conan packages.
* When a Forgejo Actions workflow includes a workflow_dispatch with
inputs and other events (for instance push), it is silently ignored
because of a parsing error.
* Automerge on AGit pull requests is ignored.
* Show lock owner instead of repo owner on LFS setting page.
* Render plain text file if the LFS object doesn't exist.
* Panic of ssh public key page after deletion of an auth source.
* Add missing repository type filter parameters to pager.
* Reverted a change from Gitea which prevented allow/reject reviews on
merged or closed PRs. This change was not considered by the Forgejo
UI team and there is a consensus that it feels like a regression,
since it interferes with workflows known to be used by Forgejo users
without providing a tangible benefit.
* Run full PR checks on AGit push.
* Updated translations
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=33
- update to 8.0.1:
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
permission on a repository description to inject a client-side script into
the web page viewed by the visitor. This XSS allows for href in anchor
elements to be set to a javascript: URI in the repository description,
which will execute the specified script upon clicking (and not upon
loading). AllowStandardURLs is now called for the repository description
policy, which ensures that URIs in anchor elements are mailto:, http://
or https:// and thereby disallowing the javascript: URI.
* Do not include trailing EOL character when counting lines
* Add background to reactions on hover
* Prevent uppercase in header of dashboard context selector
* Fix page layout in admin settings
* Ensure all filters are persistent in issue filters
* Allow 4 charachter SHA in /src/commit
- update to 8.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
Highlights:
* remove Microsoft SQL Server support
* introduce a branch/tag dropdown in the code search page
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
* API endpoints for managing tag protection.
* add Reviewed-on and Reviewed-by variables to the merge template
* display an error when an issue comment is edited simultaneously by
two users instead of silently overriding one of them
* when installing Forgejo through the built-in installer, open
(self-) registration is now disabled by default
* add support for the reddit and Hubspot OAuth providers.
* CERT management was improved when ENABLE_ACME=true
* language detection in the repository got additional languages (forwarded request 1193292 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1193293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=13
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
permission on a repository description to inject a client-side script into
the web page viewed by the visitor. This XSS allows for href in anchor
elements to be set to a javascript: URI in the repository description,
which will execute the specified script upon clicking (and not upon
loading). AllowStandardURLs is now called for the repository description
policy, which ensures that URIs in anchor elements are mailto:, http://
or https:// and thereby disallowing the javascript: URI.
* Do not include trailing EOL character when counting lines
* Add background to reactions on hover
* Prevent uppercase in header of dashboard context selector
* Fix page layout in admin settings
* Ensure all filters are persistent in issue filters
* Allow 4 charachter SHA in /src/commit
- update to 8.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
Highlights:
* remove Microsoft SQL Server support
* introduce a branch/tag dropdown in the code search page
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
* API endpoints for managing tag protection.
* add Reviewed-on and Reviewed-by variables to the merge template
* display an error when an issue comment is edited simultaneously by
two users instead of silently overriding one of them
* when installing Forgejo through the built-in installer, open
(self-) registration is now disabled by default
* add support for the reddit and Hubspot OAuth providers.
* CERT management was improved when ENABLE_ACME=true
* language detection in the repository got additional languages
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
- update to 7.0.5:
* Fixed: CVE-2024-24791 - GO-2024-2963 Denial of service due to improper
100-continue handling in net/http
* Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead
of Default URLs" checkbox (missing checkbox, irrelevant fields).
* Fixed: git push to an adopted repository fails.
* Fixed: markdown doesn't render math within brackets
* Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
* Fixed: error 500 when processing crafted TIFF files.
* Fixed: wrong placeholder text in the form for adding repository collaborator.
OBS-URL: https://build.opensuse.org/request/show/1185730
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=23
- update to 7.0.4:
* Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
of invalid zip files differs from the behavior of most zip implementations.
This misalignment could be exploited to create an zip file with contents that
vary depending on the implementation reading the file.
* the OAuth2 implementation does not always require authentication for public
clients, a requirement of RFC 6749 Section 10.2
* forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
* avatar files can be found in storage while they do not exist in the database.
* repository admins are always denied the right to force merge and instance admins
are subject to restrictions to merge that must only apply to repository admins.
* non conformance with the Nix tarball fetcher immutable link protocol.
* migrated activities (such as reviews) are mapped to the user who initiated the
migration rather than the Ghost user, if the external user cannot be mapped to a
local one. This mapping mismatch leads to internal server errors in some cases.
* a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
* using a subquery for user deletion is a performance bottleneck when using mariadb 10
because only mariadb 11 takes advantage of the available index.
* a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
* SourceHut Builds webhook fail when the triggers field is used.
* the label list rendering in the issue and pull request timeline is displayed on
multiple lines instead of a single one.
* Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
* automerge does not happen when the approval count reaches the required threshold.
* the FORCE_PRIVATE=true setting is not consistently enforced.
* CSRF validation errors when OAuth is not enabled.
* headlines in rendered org-mode do not have a margin on the top (forwarded request 1181169 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1181170
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=8
- update to 7.0.4:
* Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
of invalid zip files differs from the behavior of most zip implementations.
This misalignment could be exploited to create an zip file with contents that
vary depending on the implementation reading the file.
* the OAuth2 implementation does not always require authentication for public
clients, a requirement of RFC 6749 Section 10.2
* forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
* avatar files can be found in storage while they do not exist in the database.
* repository admins are always denied the right to force merge and instance admins
are subject to restrictions to merge that must only apply to repository admins.
* non conformance with the Nix tarball fetcher immutable link protocol.
* migrated activities (such as reviews) are mapped to the user who initiated the
migration rather than the Ghost user, if the external user cannot be mapped to a
local one. This mapping mismatch leads to internal server errors in some cases.
* a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
* using a subquery for user deletion is a performance bottleneck when using mariadb 10
because only mariadb 11 takes advantage of the available index.
* a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
* SourceHut Builds webhook fail when the triggers field is used.
* the label list rendering in the issue and pull request timeline is displayed on
multiple lines instead of a single one.
* Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
* automerge does not happen when the approval count reaches the required threshold.
* the FORCE_PRIVATE=true setting is not consistently enforced.
* CSRF validation errors when OAuth is not enabled.
* headlines in rendered org-mode do not have a margin on the top
OBS-URL: https://build.opensuse.org/request/show/1181169
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=21
- update to 7.0.3:
* CVE-2024-24788: a malformed DNS message in response to a query can
cause the lookup functions to get stuck in an infinite loop
* backticks in mermaid block diagram labels are not sanitized properly
* migration of a repository from gogs fails when it is hosted at a subpath.
* when creating an OAuth2 application the redirect URLs are not enforced to
be mandatory
* the API incorrectly excludes repositories where code is not enabled
* "Allow edits from maintainers" cannot be modified via the pull request web UI
* repository activity feeds (including RSS and Atom feeds) contain
repeated activities
* uploading maven packages with metadata being uploaded separately will fail
* the mail notification sent about commits pushed to pull requests are empty
* inline emails attachments are not properly handled when commenting on an
issue via email
* the links to .zip and tar.gz on the tag list web UI fail
* expanding code diff while previewing a pull request before it is created fails
* the CLI is not able to migrate Forgejo Actions artifacts
* when adopting a repository, the default branch is not taken into account
* when using reverse proxy authentication, logout will not be taken into
account when immediately trying to login afterwards
* pushing to the master branch of a sha256 repository fails
* a very long project column name will make the action menu inaccessible
* a useless error is displayed when the title of a merged pull request is
modified
* workflow badges are not working for workflows that are not running on push
(such as scheduled workflows, and ones that run on tags and pull requests)
OBS-URL: https://build.opensuse.org/request/show/1175961
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=19
- update to 7.0.2:
* regression where subscribing to or unsubscribing from an issue in a
repository with no code produced an internal server error.
* regression makes all the refs sent in Gitea webhooks to be full refs and
might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
contained the full ref). This issue has been fixed in the main branch of
Woodpecker CI as well.
* the webhook branch filter wrongly applied the match on the full ref for
branch creation and deletion (wrongly skipping events).
* toggling the WIP state of a pull request is possible from the sidebar,
but not from the footer.
* when mentioning a user, the markup post-processor does not handle the case
where the mentioned user does not exist: it tries to skip to the next node,
which in turn, ended up skipping the rest of the line.
* excessive and unnecessary database queries when a user with no repositories
is viewing their dashboard.
* duplicate status check contexts show in the branch protection settings.
* profile info fails to render german singular translation.
* inline attachments of incoming emails (as they occur for example with Apple
Mail) are not attached to comments. (forwarded request 1171482 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1171483
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=6
- update to 7.0.2:
* regression where subscribing to or unsubscribing from an issue in a
repository with no code produced an internal server error.
* regression makes all the refs sent in Gitea webhooks to be full refs and
might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
contained the full ref). This issue has been fixed in the main branch of
Woodpecker CI as well.
* the webhook branch filter wrongly applied the match on the full ref for
branch creation and deletion (wrongly skipping events).
* toggling the WIP state of a pull request is possible from the sidebar,
but not from the footer.
* when mentioning a user, the markup post-processor does not handle the case
where the mentioned user does not exist: it tries to skip to the next node,
which in turn, ended up skipping the rest of the line.
* excessive and unnecessary database queries when a user with no repositories
is viewing their dashboard.
* duplicate status check contexts show in the branch protection settings.
* profile info fails to render german singular translation.
* inline attachments of incoming emails (as they occur for example with Apple
Mail) are not attached to comments.
OBS-URL: https://build.opensuse.org/request/show/1171482
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=17
Forwarded request #1170482 from rrahl0
- update to 7.0.1:
* LFS data corruption when running the forgejo doctor check --fix CLI command
or setting [cron.gc_lfs].ENABLED=true (the default is false)
* non backward compatible change in the forgejo admin user create CLI command
* error 500 because of an incorrect evaluation of the template when visiting
the LFS settings of a repository
* GET /repos/{owner}/{name} API endpoint always returns an empty string for
the object_format_name field
* fuzzy search may fail with bleve
OBS-URL: https://build.opensuse.org/request/show/1170483
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=5
- update to 7.0.1:
* LFS data corruption when running the forgejo doctor check --fix CLI command
or setting [cron.gc_lfs].ENABLED=true (the default is false)
* non backward compatible change in the forgejo admin user create CLI command
* error 500 because of an incorrect evaluation of the template when visiting
the LFS settings of a repository
* GET /repos/{owner}/{name} API endpoint always returns an empty string for
the object_format_name field
* fuzzy search may fail with bleve
OBS-URL: https://build.opensuse.org/request/show/1170482
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=15
- update to 7.0.0:
This is only an excerpt from the full changelog, which you can find
in your RELEASE-NOTES.md or at
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0
* MySQL 8.0 or PostgreSQL 12 are the minimum supported versions.
The database must be migrated before upgrading.
The requirements regarding SQLite did not change.
* The per_page parameter is no longer a synonym for limit in the
/repos/{owner}/{repo}/releases API endpoint.
* The date format of the created and last_update fields of the
/repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors
API endpoint changed to be timestamps instead of numbers.
* Labels used by pprof endpoint have been changed
* The fogejo admin user create CLI command requires a password change
by default when creating the first user
OBS-URL: https://build.opensuse.org/request/show/1170087
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=13
- update to 1.21.10-0:
* CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to
read arbitrary amounts of header data
* Fix to not remove repository avatars when the doctor runs with --fix
on the repository archives.
* Detect protected branch on branch rename.
* Don't delete inactive emails explicitly.
* Fix user interface when a review is deleted without refreshing.
* Fix paths when finding files via the web interface that were not escaped.
* Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org.
* Fix duplicate migrated milestones.
* Fix inline math blocks can't be preceeded/followed by alphanumerical
characters.
OBS-URL: https://build.opensuse.org/request/show/1165705
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=9
- update to 1.21.8-0:
* Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a
500 error.
* Prevent error 500 on /user/settings/security when SignedUser has a linked
account from a deactivated authentication source.
* Fix error 500 when pushing release to an empty repo.
* Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize.
* Fix error 500 when deleting account with incorrect password or unsupported login type.
* handle user-defined name anchors like [Link](#link) linking to <a name="link"></a>Link.
* Use correct head commit for CODEOWNER.
* Fix manual merge button.
* Make meilisearch do exact search for issues.
* Fix PR creation via api between branches of same repo with head field namespaced.
OBS-URL: https://build.opensuse.org/request/show/1160993
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=6
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
