* wip
* Mobile support
* Address review feedback on inline menu
- Mark selection-restore transaction as not added to history
- Only open desktop inline menu when an anchor is available
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* chore(deps): bump zod from 4.3.6 to 4.4.3
Bumps [zod](https://github.com/colinhacks/zod) from 4.3.6 to 4.4.3.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v4.3.6...v4.4.3)
---
updated-dependencies:
- dependency-name: zod
dependency-version: 4.4.3
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix: Make files.create file param optional in schema for zod 4.4
zod 4.4 changed z.custom() to reject undefined. Since validate runs
before multipart injects the file, validation failed with 400 on all
files.create requests. Mark the field optional and guard in the handler.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* chore(deps-dev): bump vite-plugin-babel from 1.6.0 to 1.7.3
Bumps [vite-plugin-babel](https://github.com/owlsdepartment/vite-plugin-babel) from 1.6.0 to 1.7.3.
- [Commits](https://github.com/owlsdepartment/vite-plugin-babel/commits)
---
updated-dependencies:
- dependency-name: vite-plugin-babel
dependency-version: 1.7.3
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix: Use include option for vite-plugin-babel TS transform
vite-plugin-babel 1.7.0 added an `include` option defaulting to
`/\.jsx?$/` (JS only) that is applied before `filter`, so .ts/.tsx
files were no longer transformed by Babel and reached the parser
with types intact. Switch to the `include` option to match TS files.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Forces transitive uuid copies (8.3.2 via sequelize/bull, 9.0.1 via
@hocuspocus/*) onto the patched 11.1.1, addressing GHSA-w5hq-g745-h8pq.
11.1.1 is the highest version that is both patched and ships a CommonJS
build, which the require()-based consumers depend on.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* fix: Allow service worker to load on custom domains
Add explicit worker-src 'self' so the service worker can register on
team custom domains. Without it, browsers fall back to script-src which
only lists env.URL and env.CDN_URL, blocking /static/sw.js on hosts
like docs.getoutline.com.
* fix: Switch worker-src approach to script-src 'self' for type safety
The @types/koa-helmet definitions don't include workerSrc. Add 'self'
to script-src instead — worker-src falls back to script-src per spec,
and 'self' matches the document origin on custom domains.
* fix: Properly add worker-src directive without script-src widening
Extract the CSP directives to a local variable so workerSrc can be
included despite koa-helmet's outdated type definitions missing it
(the underlying helmet supports it). Also drop @types/koa-helmet
since the package now ships its own (equivalent) types.
Remove `debug: 4.3.4` resolution which was forcing a downgrade – packages
requesting ^4.4.x now resolve to their correct versions. Remove
`ajv@npm:~8.13.0` resolution as no package in the dependency tree requests
that range anymore.
https://claude.ai/code/session_01JmpWGCUCVdKqN3MgsYc3fi
Co-authored-by: Claude <noreply@anthropic.com>
The `lodash-es@npm:4.17.23` resolution targeted a specific descriptor
that is no longer requested by any package — only `lodash-es: ^4.17.21`
appears in the dependency tree now, which resolves naturally to 4.18.1.
Removing the resolution produces no change in yarn.lock.
All other resolutions still prevent regressions (yarn install would
install a strictly lower version without them) or serve as project-pin
dedupe targets retained for compatibility, matching the rationale from
the prior audit in #12304.
Co-authored-by: Claude <noreply@anthropic.com>
* chore(deps-dev): bump oxlint-tsgolint from 0.14.2 to 0.22.1
Bumps [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) from 0.14.2 to 0.22.1.
- [Release notes](https://github.com/oxc-project/tsgolint/releases)
- [Commits](https://github.com/oxc-project/tsgolint/compare/v0.14.2...v0.22.1)
---
updated-dependencies:
- dependency-name: oxlint-tsgolint
dependency-version: 0.22.1
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore: Switch tsconfig to bundler resolution for tsgolint 0.22.1
oxlint-tsgolint 0.22.1 removed support for moduleResolution=node10
(the alias for "node"). Switch to "bundler" with resolvePackageJsonExports
disabled so packages whose exports field omits a types condition still
resolve. Update markdown-it type imports to sub-paths since the package's
.d.mts entry only re-exports a subset of named types.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Resolve type-aware lint errors caught by tsgolint 0.22.1
oxlint-tsgolint 0.22.1 catches several await-thenable, no-floating-promises,
and no-meaningless-void-operator cases the prior 0.14.2 missed:
- Drop redundant inner `await` from Promise.all([await x, await y]) call sites
so the array entries are real Promises rather than already-resolved values.
- Replace Promise.all wrappers around synchronous presenters (presentEvent,
presentTemplate, presentPublicTeam) with plain map / direct calls.
- Wrap non-promise branches of ternaries inside Promise.all with
Promise.resolve so the array remains thenable across both arms.
- Add `void` to the unawaited provider.connect() in the auth-failed retry
chain, and remove `void` from the disconnect() call which returns void.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The "js-yaml": "^4.1.1" resolution is now a no-op — every package that
requests js-yaml in the dep graph already asks for ^4.1.0 or ^4.1.1, both
of which naturally resolve to 4.1.1. Removing the resolution does not
change any installed version.
Audited the remaining resolutions; all still prevent a lower version from
being installed (or are intentional dedupe pins for @types/* and
prosemirror-transform per #12304, plus the i18next-parser compatibility
pin from #12307).
Co-authored-by: Claude <noreply@anthropic.com>
i18next-parser 8.13.0 used a default import for cheerio, which broke
when cheerio dropped its default export. 9.x switched to a namespace
import. Pin the parser's transitive i18next to ^23.16.8 so plural keys
continue to be emitted in compatibilityJSON v3 format expected by the
runtime (i18next 22.5.1).
* chore(deps): Remove resolutions that no longer prevent downgrades
Audited each resolution by removing it and running yarn install to check
whether any package would resolve to a lower version. Removed 31 entries
that were no-ops because the natural resolution already satisfies (or
exceeds) the resolution target — caret ranges that npm now publishes a
matching or higher version for, and one fast-xml-parser pin where the
underlying dependency moved.
Kept 13 entries: those that still prevent a regression, plus the @types/*
and prosemirror-transform pins that exist to dedupe transitive copies
against the project's own pinned versions.
* chore(deps): Bump @babel/preset-env to 7.29.5 to address GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs <=7.29.3 generates arbitrary
code when compiling malicious input. Upgrading @babel/preset-env to
^7.29.5 brings in the patched ^7.29.4 transitively.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* wip
* Remove obsolete snapshots
* simplify
* chore(test): Convert mocks to TypeScript and tighten fetch mock types
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Remove unneccessary patches
* Migrate to msw instead of custom fetch mock
* Address PR review comments
- Split chained vi.useFakeTimers().setSystemTime() into separate calls.
- Switch test setup to dynamic imports so EventEmitter.defaultMaxListeners
assignment runs before module init (static imports were hoisted above it).
- Drop redundant NODE_ENV guard in monkeyPatchSequelizeErrorsForJest; its
sole caller already gates on env.isTest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* chore: Vendor request-filtering-agent
* fix: honor fetch timeout and undefined allow list in proxy pre-flight
Default allowIPAddressList to [] so an unset ALLOWED_PRIVATE_IP_ADDRESSES
env var doesn't overwrite the agent's default and crash on .length, and
race the pre-flight DNS lookup against the request's abort signal so the
configured fetch timeout applies to slow DNS resolution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
dependabot[bot]