e32b3772b2
chore(deps-dev): bump vite-plugin-babel from 1.6.0 to 1.7.3 ( #12561 )
...
* chore(deps-dev): bump vite-plugin-babel from 1.6.0 to 1.7.3
Bumps [vite-plugin-babel](https://github.com/owlsdepartment/vite-plugin-babel ) from 1.6.0 to 1.7.3.
- [Commits](https://github.com/owlsdepartment/vite-plugin-babel/commits )
---
updated-dependencies:
- dependency-name: vite-plugin-babel
dependency-version: 1.7.3
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* fix: Use include option for vite-plugin-babel TS transform
vite-plugin-babel 1.7.0 added an `include` option defaulting to
`/\.jsx?$/` (JS only) that is applied before `filter`, so .ts/.tsx
files were no longer transformed by Babel and reached the parser
with types intact. Switch to the `include` option to match TS files.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-02 22:11:03 -04:00
b2c66c5190
chore(deps-dev): bump the babel group with 7 updates ( #12560 )
...
Bumps the babel group with 7 updates:
| Package | From | To |
| --- | --- | --- |
| [@babel/cli](https://github.com/babel/babel/tree/HEAD/packages/babel-cli ) | `7.28.6` | `7.29.7` |
| [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core ) | `7.29.0` | `7.29.7` |
| [@babel/plugin-proposal-decorators](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-proposal-decorators ) | `7.29.0` | `7.29.7` |
| [@babel/plugin-transform-class-properties](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-class-properties ) | `7.28.6` | `7.29.7` |
| [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env ) | `7.29.5` | `7.29.7` |
| [@babel/preset-react](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-react ) | `7.28.5` | `7.29.7` |
| [@babel/preset-typescript](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-typescript ) | `7.28.5` | `7.29.7` |
Updates `@babel/cli` from 7.28.6 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-cli )
Updates `@babel/core` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-core )
Updates `@babel/plugin-proposal-decorators` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-proposal-decorators )
Updates `@babel/plugin-transform-class-properties` from 7.28.6 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-class-properties )
Updates `@babel/preset-env` from 7.29.5 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-preset-env )
Updates `@babel/preset-react` from 7.28.5 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-preset-react )
Updates `@babel/preset-typescript` from 7.28.5 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-preset-typescript )
---
updated-dependencies:
- dependency-name: "@babel/cli"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: babel
- dependency-name: "@babel/core"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: babel
- dependency-name: "@babel/plugin-proposal-decorators"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: babel
- dependency-name: "@babel/plugin-transform-class-properties"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: babel
- dependency-name: "@babel/preset-env"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: babel
- dependency-name: "@babel/preset-react"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: babel
- dependency-name: "@babel/preset-typescript"
dependency-version: 7.29.7
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: babel
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-02 22:01:45 -04:00
875ba8d03c
chore(deps): bump yjs from 13.6.30 to 13.6.31 ( #12562 )
...
Bumps [yjs](https://github.com/yjs/yjs ) from 13.6.30 to 13.6.31.
- [Release notes](https://github.com/yjs/yjs/releases )
- [Commits](https://github.com/yjs/yjs/compare/v13.6.30...v13.6.31 )
---
updated-dependencies:
- dependency-name: yjs
dependency-version: 13.6.31
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-02 22:01:30 -04:00
bcf1155818
chore(deps): bump semver from 7.7.4 to 7.8.1 ( #12564 )
...
Bumps [semver](https://github.com/npm/node-semver ) from 7.7.4 to 7.8.1.
- [Release notes](https://github.com/npm/node-semver/releases )
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md )
- [Commits](https://github.com/npm/node-semver/compare/v7.7.4...v7.8.1 )
---
updated-dependencies:
- dependency-name: semver
dependency-version: 7.8.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-02 22:01:03 -04:00
ad89288eac
fix: Resolve uuid to ^11.1.1 to patch CVE-2026-41907 ( #12541 )
...
Forces transitive uuid copies (8.3.2 via sequelize/bull, 9.0.1 via
@hocuspocus/*) onto the patched 11.1.1, addressing GHSA-w5hq-g745-h8pq.
11.1.1 is the highest version that is both patched and ships a CommonJS
build, which the require()-based consumers depend on.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-30 18:26:09 -04:00
5aff60e28b
chore(deps): bump axios from 1.15.2 to 1.16.1 ( #12523 )
...
Bumps [axios](https://github.com/axios/axios ) from 1.15.2 to 1.16.1.
- [Release notes](https://github.com/axios/axios/releases )
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md )
- [Commits](https://github.com/axios/axios/compare/v1.15.2...v1.16.1 )
---
updated-dependencies:
- dependency-name: axios
dependency-version: 1.16.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-29 12:15:24 -04:00
ae5cd6a159
fix: Allow service worker to load on custom domains ( #12502 )
...
* fix: Allow service worker to load on custom domains
Add explicit worker-src 'self' so the service worker can register on
team custom domains. Without it, browsers fall back to script-src which
only lists env.URL and env.CDN_URL, blocking /static/sw.js on hosts
like docs.getoutline.com.
* fix: Switch worker-src approach to script-src 'self' for type safety
The @types/koa-helmet definitions don't include workerSrc. Add 'self'
to script-src instead — worker-src falls back to script-src per spec,
and 'self' matches the document origin on custom domains.
* fix: Properly add worker-src directive without script-src widening
Extract the CSP directives to a local variable so workerSrc can be
included despite koa-helmet's outdated type definitions missing it
(the underlying helmet supports it). Also drop @types/koa-helmet
since the package now ships its own (equivalent) types.
2026-05-28 09:07:05 -04:00
a4a67f2cdd
fix: Upgrade yauzl, improve stream close handling
2026-05-27 20:33:33 -04:00
48aa4f33ce
chore: Upgrade ipaddr.js ( #12491 )
2026-05-27 20:27:28 -04:00
b424d92724
chore: Bump tmp dep ( #12494 )
2026-05-27 18:39:49 -04:00
6bab00b92e
chore(deps): upgrade octokit to v5 and @octokit/auth-app to v8 ( #12472 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-26 19:47:58 -04:00
a9a54d5ada
chore(deps): bump the aws group with 5 updates ( #12455 )
...
Bumps the aws group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3 ) | `3.1045.0` | `3.1053.0` |
| [@aws-sdk/lib-storage](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/lib/lib-storage ) | `3.1045.0` | `3.1053.0` |
| [@aws-sdk/s3-presigned-post](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/s3-presigned-post ) | `3.1045.0` | `3.1053.0` |
| [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/s3-request-presigner ) | `3.1045.0` | `3.1053.0` |
| [@aws-sdk/signature-v4-crt](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/signature-v4-crt ) | `3.1045.0` | `3.1053.0` |
Updates `@aws-sdk/client-s3` from 3.1045.0 to 3.1053.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases )
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/clients/client-s3 )
Updates `@aws-sdk/lib-storage` from 3.1045.0 to 3.1053.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases )
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/lib/lib-storage/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/lib/lib-storage )
Updates `@aws-sdk/s3-presigned-post` from 3.1045.0 to 3.1053.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases )
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/s3-presigned-post/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/packages/s3-presigned-post )
Updates `@aws-sdk/s3-request-presigner` from 3.1045.0 to 3.1053.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases )
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/s3-request-presigner/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/packages/s3-request-presigner )
Updates `@aws-sdk/signature-v4-crt` from 3.1045.0 to 3.1053.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases )
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/signature-v4-crt/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/packages/signature-v4-crt )
---
updated-dependencies:
- dependency-name: "@aws-sdk/client-s3"
dependency-version: 3.1053.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws
- dependency-name: "@aws-sdk/lib-storage"
dependency-version: 3.1053.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws
- dependency-name: "@aws-sdk/s3-presigned-post"
dependency-version: 3.1053.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws
- dependency-name: "@aws-sdk/s3-request-presigner"
dependency-version: 3.1053.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws
- dependency-name: "@aws-sdk/signature-v4-crt"
dependency-version: 3.1053.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-25 18:57:01 -04:00
5126d8540e
chore(deps): bump uuid from 11.1.0 to 11.1.1 ( #12456 )
...
Bumps [uuid](https://github.com/uuidjs/uuid ) from 11.1.0 to 11.1.1.
- [Release notes](https://github.com/uuidjs/uuid/releases )
- [Changelog](https://github.com/uuidjs/uuid/blob/v11.1.1/CHANGELOG.md )
- [Commits](https://github.com/uuidjs/uuid/compare/v11.1.0...v11.1.1 )
---
updated-dependencies:
- dependency-name: uuid
dependency-version: 11.1.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-25 18:56:47 -04:00
0c3ddef228
chore(deps-dev): bump terser from 5.44.1 to 5.48.0 ( #12457 )
...
Bumps [terser](https://github.com/terser/terser ) from 5.44.1 to 5.48.0.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md )
- [Commits](https://github.com/terser/terser/compare/v5.44.1...v5.48.0 )
---
updated-dependencies:
- dependency-name: terser
dependency-version: 5.48.0
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-25 18:56:24 -04:00
3f207aea49
chore(deps-dev): bump oxlint from 1.50.0 to 1.66.0 ( #12458 )
...
Bumps [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint ) from 1.50.0 to 1.66.0.
- [Release notes](https://github.com/oxc-project/oxc/releases )
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md )
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.66.0/npm/oxlint )
---
updated-dependencies:
- dependency-name: oxlint
dependency-version: 1.66.0
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-25 18:56:01 -04:00
08c0390295
chore: Remove unnecessary package resolutions ( #12442 )
...
Remove `debug: 4.3.4` resolution which was forcing a downgrade – packages
requesting ^4.4.x now resolve to their correct versions. Remove
`ajv@npm:~8.13.0` resolution as no package in the dependency tree requests
that range anymore.
https://claude.ai/code/session_01JmpWGCUCVdKqN3MgsYc3fi
Co-authored-by: Claude <noreply@anthropic.com >
2026-05-24 07:27:50 -04:00
92be631350
chore(deps): bump qs from 6.15.1 to 6.15.2 ( #12437 )
2026-05-23 11:27:57 -04:00
8d44a0fd92
chore: Migrate from JSZip to Yazl ( #12408 )
...
* chore: Migrate from JSZip to Yazl
* Add koa stream helper, PR feedback
2026-05-21 23:27:23 -04:00
b639841555
chore(deps): bump @tootallnate/once from 2.0.0 to 2.0.1 ( #12415 )
...
Bumps [@tootallnate/once](https://github.com/TooTallNate/once ) from 2.0.0 to 2.0.1.
- [Release notes](https://github.com/TooTallNate/once/releases )
- [Changelog](https://github.com/TooTallNate/once/blob/v2.0.1/CHANGELOG.md )
- [Commits](https://github.com/TooTallNate/once/compare/2.0.0...v2.0.1 )
---
updated-dependencies:
- dependency-name: "@tootallnate/once"
dependency-version: 2.0.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-21 18:34:40 -04:00
3a6df26c8c
chore(deps): bump js-cookie from 3.0.5 to 3.0.7 ( #12414 )
2026-05-21 17:41:07 -04:00
c875a92b86
chore(deps): bump vite-plugin-pwa from 1.2.0 to 1.3.0 ( #12321 )
...
Bumps [vite-plugin-pwa](https://github.com/vite-pwa/vite-plugin-pwa ) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/vite-pwa/vite-plugin-pwa/releases )
- [Commits](https://github.com/vite-pwa/vite-plugin-pwa/compare/v1.2.0...v1.3.0 )
---
updated-dependencies:
- dependency-name: vite-plugin-pwa
dependency-version: 1.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 20:52:52 -04:00
a11a8442dc
chore(deps): bump @fast-csv/parse from 5.0.5 to 5.0.7 ( #12389 )
...
Bumps [@fast-csv/parse](https://github.com/C2FO/fast-csv/tree/HEAD/packages/parse ) from 5.0.5 to 5.0.7.
- [Release notes](https://github.com/C2FO/fast-csv/releases )
- [Changelog](https://github.com/C2FO/fast-csv/blob/main/packages/parse/CHANGELOG.md )
- [Commits](https://github.com/C2FO/fast-csv/commits/v5.0.7/packages/parse )
---
updated-dependencies:
- dependency-name: "@fast-csv/parse"
dependency-version: 5.0.7
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 20:52:29 -04:00
1e2159edf7
chore: Update ws dep resolution ( #12398 )
2026-05-19 20:52:14 -04:00
620c654b26
chore(deps): bump react-colorful from 5.6.1 to 5.7.0 ( #12386 )
...
* chore(deps): bump react-colorful from 5.6.1 to 5.7.0
Bumps [react-colorful](https://github.com/omgovich/react-colorful ) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/omgovich/react-colorful/releases )
- [Changelog](https://github.com/omgovich/react-colorful/blob/master/CHANGELOG.md )
- [Commits](https://github.com/omgovich/react-colorful/commits/5.7.0 )
---
updated-dependencies:
- dependency-name: react-colorful
dependency-version: 5.7.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* Use new prop
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
2026-05-18 22:57:52 -04:00
6e2b53315b
chore(deps-dev): bump @vitest/ui from 4.1.5 to 4.1.6 ( #12387 )
...
Bumps [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui ) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/vitest-dev/vitest/releases )
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/ui )
---
updated-dependencies:
- dependency-name: "@vitest/ui"
dependency-version: 4.1.6
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:54:09 -04:00
57b9cfdcf2
chore(deps): bump @dotenvx/dotenvx from 1.64.0 to 1.66.0 ( #12388 )
...
Bumps [@dotenvx/dotenvx](https://github.com/dotenvx/dotenvx ) from 1.64.0 to 1.66.0.
- [Release notes](https://github.com/dotenvx/dotenvx/releases )
- [Changelog](https://github.com/dotenvx/dotenvx/blob/main/CHANGELOG.md )
- [Commits](https://github.com/dotenvx/dotenvx/compare/v1.64.0...v1.66.0 )
---
updated-dependencies:
- dependency-name: "@dotenvx/dotenvx"
dependency-version: 1.66.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:28:55 -04:00
8f8cbb6b71
chore(deps): bump umzug from 3.8.2 to 3.8.3 ( #12385 )
...
Bumps [umzug](https://github.com/sequelize/umzug ) from 3.8.2 to 3.8.3.
- [Release notes](https://github.com/sequelize/umzug/releases )
- [Changelog](https://github.com/sequelize/umzug/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sequelize/umzug/compare/v3.8.2...v3.8.3 )
---
updated-dependencies:
- dependency-name: umzug
dependency-version: 3.8.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:09:53 -04:00
c8c2bd8cc9
chore(deps-dev): bump @types/koa from 2.15.0 to 2.15.1 ( #12384 )
...
Bumps [@types/koa](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/koa ) from 2.15.0 to 2.15.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases )
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/koa )
---
updated-dependencies:
- dependency-name: "@types/koa"
dependency-version: 2.15.1
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:09:19 -04:00
aab7de9781
chore(deps): bump i18next-http-backend from 3.0.5 to 3.0.6 ( #12383 )
...
Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend ) from 3.0.5 to 3.0.6.
- [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md )
- [Commits](https://github.com/i18next/i18next-http-backend/compare/v3.0.5...v3.0.6 )
---
updated-dependencies:
- dependency-name: i18next-http-backend
dependency-version: 3.0.6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:09:06 -04:00
158cac0a8a
chore(deps): bump react-hook-form from 7.74.0 to 7.76.0 ( #12382 )
...
Bumps [react-hook-form](https://github.com/react-hook-form/react-hook-form ) from 7.74.0 to 7.76.0.
- [Release notes](https://github.com/react-hook-form/react-hook-form/releases )
- [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md )
- [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.74.0...v7.76.0 )
---
updated-dependencies:
- dependency-name: react-hook-form
dependency-version: 7.76.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 22:08:39 -04:00
5d32db86cf
chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 ( #12376 )
...
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion ) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases )
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.5...v5.0.6 )
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 5.0.6
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 14:18:16 -04:00
6e99dff3c2
chore: Upgrade Mermaid ( #12331 )
2026-05-12 21:22:20 -04:00
fc01deeefd
chore(deps-dev): bump oxlint-tsgolint from 0.14.2 to 0.22.1 ( #12320 )
...
* chore(deps-dev): bump oxlint-tsgolint from 0.14.2 to 0.22.1
Bumps [oxlint-tsgolint](https://github.com/oxc-project/tsgolint ) from 0.14.2 to 0.22.1.
- [Release notes](https://github.com/oxc-project/tsgolint/releases )
- [Commits](https://github.com/oxc-project/tsgolint/compare/v0.14.2...v0.22.1 )
---
updated-dependencies:
- dependency-name: oxlint-tsgolint
dependency-version: 0.22.1
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* chore: Switch tsconfig to bundler resolution for tsgolint 0.22.1
oxlint-tsgolint 0.22.1 removed support for moduleResolution=node10
(the alias for "node"). Switch to "bundler" with resolvePackageJsonExports
disabled so packages whose exports field omits a types condition still
resolve. Update markdown-it type imports to sub-paths since the package's
.d.mts entry only re-exports a subset of named types.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
* fix: Resolve type-aware lint errors caught by tsgolint 0.22.1
oxlint-tsgolint 0.22.1 catches several await-thenable, no-floating-promises,
and no-meaningless-void-operator cases the prior 0.14.2 missed:
- Drop redundant inner `await` from Promise.all([await x, await y]) call sites
so the array entries are real Promises rather than already-resolved values.
- Replace Promise.all wrappers around synchronous presenters (presentEvent,
presentTemplate, presentPublicTeam) with plain map / direct calls.
- Wrap non-promise branches of ternaries inside Promise.all with
Promise.resolve so the array remains thenable across both arms.
- Add `void` to the unawaited provider.connect() in the auth-failed retry
chain, and remove `void` from the disconnect() call which returns void.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-12 07:59:13 -04:00
dab06d4dfa
chore(deps): bump i18next-fs-backend from 2.6.4 to 2.6.5 ( #12319 )
2026-05-11 20:19:11 -04:00
dcddab47e1
chore(deps): bump koa-compress from 5.1.1 to 5.2.1 ( #12318 )
2026-05-11 20:17:56 -04:00
0eee576b81
chore(deps): bump the aws group with 5 updates ( #12317 )
2026-05-11 20:17:07 -04:00
ab42e4fda8
chore(deps): Remove js-yaml resolution that no longer prevents downgrades ( #12309 )
...
The "js-yaml": "^4.1.1" resolution is now a no-op — every package that
requests js-yaml in the dep graph already asks for ^4.1.0 or ^4.1.1, both
of which naturally resolve to 4.1.1. Removing the resolution does not
change any installed version.
Audited the remaining resolutions; all still prevent a lower version from
being installed (or are intentional dedupe pins for @types/* and
prosemirror-transform per #12304 , plus the i18next-parser compatibility
pin from #12307 ).
Co-authored-by: Claude <noreply@anthropic.com >
2026-05-10 09:32:30 -04:00
2cb47aa421
chore(deps): Bump i18next-parser to 9.4.0 to fix pre-commit hook ( #12307 )
...
i18next-parser 8.13.0 used a default import for cheerio, which broke
when cheerio dropped its default export. 9.x switched to a namespace
import. Pin the parser's transitive i18next to ^23.16.8 so plural keys
continue to be emitted in compatibilityJSON v3 format expected by the
runtime (i18next 22.5.1).
2026-05-09 13:53:45 -04:00
fba1bcef87
chore(deps): bump hono from 4.12.16 to 4.12.18 ( #12305 )
...
Bumps [hono](https://github.com/honojs/hono ) from 4.12.16 to 4.12.18.
- [Release notes](https://github.com/honojs/hono/releases )
- [Commits](https://github.com/honojs/hono/compare/v4.12.16...v4.12.18 )
---
updated-dependencies:
- dependency-name: hono
dependency-version: 4.12.18
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-09 09:09:36 -04:00
4548fc00bf
chore(deps): Remove resolutions that no longer prevent downgrades ( #12304 )
...
* chore(deps): Remove resolutions that no longer prevent downgrades
Audited each resolution by removing it and running yarn install to check
whether any package would resolve to a lower version. Removed 31 entries
that were no-ops because the natural resolution already satisfies (or
exceeds) the resolution target — caret ranges that npm now publishes a
matching or higher version for, and one fast-xml-parser pin where the
underlying dependency moved.
Kept 13 entries: those that still prevent a regression, plus the @types/*
and prosemirror-transform pins that exist to dedupe transitive copies
against the project's own pinned versions.
* chore(deps): Bump @babel/preset-env to 7.29.5 to address GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs <=7.29.3 generates arbitrary
code when compiling malicious input. Upgrading @babel/preset-env to
^7.29.5 brings in the patched ^7.29.4 transitively.
---------
Co-authored-by: Claude <noreply@anthropic.com >
2026-05-09 09:02:50 -04:00
8248fafe70
chore(deps): bump fast-uri from 3.1.0 to 3.1.2 ( #12300 )
...
Bumps [fast-uri](https://github.com/fastify/fast-uri ) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/fastify/fast-uri/releases )
- [Commits](https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2 )
---
updated-dependencies:
- dependency-name: fast-uri
dependency-version: 3.1.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-08 14:41:20 -04:00
a346e6dee6
chore(deps): bump fast-xml-builder from 1.1.5 to 1.1.8 ( #12299 )
...
Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder ) from 1.1.5 to 1.1.8.
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md )
- [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.5...v1.1.8 )
---
updated-dependencies:
- dependency-name: fast-xml-builder
dependency-version: 1.1.8
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-08 14:32:14 -04:00
87029a3ad7
chore(deps): bump ip-address to 10.2.0 to address XSS advisory ( #12286 )
...
* chore(deps): bump ip-address to 10.2.0 to address XSS advisory
2026-05-07 08:22:07 -04:00
091346dfe8
chore: Migrate to vitest ( #12272 )
...
* wip
* Remove obsolete snapshots
* simplify
* chore(test): Convert mocks to TypeScript and tighten fetch mock types
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
* Remove unneccessary patches
* Migrate to msw instead of custom fetch mock
* Address PR review comments
- Split chained vi.useFakeTimers().setSystemTime() into separate calls.
- Switch test setup to dynamic imports so EventEmitter.defaultMaxListeners
assignment runs before module init (static imports were hoisted above it).
- Drop redundant NODE_ENV guard in monkeyPatchSequelizeErrorsForJest; its
sole caller already gates on env.isTest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-06 21:10:51 -04:00
0139b91b5d
chore: Replace lodash with es-toolkit ( #12281 )
...
* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
2026-05-06 21:03:47 -04:00
9ddb57f1d3
chore(deps): bump hono from 4.12.12 to 4.12.16 ( #12283 )
...
Bumps [hono](https://github.com/honojs/hono ) from 4.12.12 to 4.12.16.
- [Release notes](https://github.com/honojs/hono/releases )
- [Commits](https://github.com/honojs/hono/compare/v4.12.12...v4.12.16 )
---
updated-dependencies:
- dependency-name: hono
dependency-version: 4.12.16
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-06 20:34:40 -04:00
ad7e6c98ab
chore: Vendor request-filtering-agent ( #12266 )
...
* chore: Vendor request-filtering-agent
* fix: honor fetch timeout and undefined allow list in proxy pre-flight
Default allowIPAddressList to [] so an unset ALLOWED_PRIVATE_IP_ADDRESSES
env var doesn't overwrite the agent's default and crash on .length, and
race the pre-flight DNS lookup against the request's abort signal so the
configured fetch timeout applies to slow DNS resolution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-06 20:26:52 -04:00
77aee86c01
chore(deps): bump prosemirror-changeset from 2.3.1 to 2.4.1 ( #12261 )
...
* chore(deps): bump prosemirror-changeset from 2.3.1 to 2.4.1
Bumps [prosemirror-changeset](https://github.com/prosemirror/prosemirror-changeset ) from 2.3.1 to 2.4.1.
- [Changelog](https://github.com/ProseMirror/prosemirror-changeset/blob/master/CHANGELOG.md )
- [Commits](https://github.com/prosemirror/prosemirror-changeset/commits )
---
updated-dependencies:
- dependency-name: prosemirror-changeset
dependency-version: 2.4.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* fix: ExtendedChange type for prosemirror-changeset 2.4.1
The new Change class adds a toJSON() method, which broke `extends Change`
since ExtendedChange values are built via object spread and have no
prototype methods. Pick only the data properties instead.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-04 21:11:09 -04:00
bee5945c0b
chore(deps-dev): bump @types/markdown-it from 14.1.1 to 14.1.2 ( #12260 )
...
* chore(deps-dev): bump @types/markdown-it from 14.1.1 to 14.1.2
Bumps [@types/markdown-it](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/markdown-it ) from 14.1.1 to 14.1.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases )
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/markdown-it )
---
updated-dependencies:
- dependency-name: "@types/markdown-it"
dependency-version: 14.1.2
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* fix: Drop removed `jump` field from mark delimiter
@types/markdown-it 14.1.2 removed `jump` from the `Delimiter` interface
to match upstream markdown-it, which tracks jumps in a local array
inside balance_pairs rather than on each delimiter.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-04 21:10:58 -04:00
1f8f708c83
chore(deps): bump @bull-board/api from 6.21.2 to 6.21.3 ( #12259 )
...
* chore(deps): bump @bull-board/api from 6.21.2 to 6.21.3
Bumps [@bull-board/api](https://github.com/felixmosh/bull-board/tree/HEAD/packages/api ) from 6.21.2 to 6.21.3.
- [Release notes](https://github.com/felixmosh/bull-board/releases )
- [Changelog](https://github.com/felixmosh/bull-board/blob/master/CHANGELOG.md )
- [Commits](https://github.com/felixmosh/bull-board/commits/v6.21.3/packages/api )
---
updated-dependencies:
- dependency-name: "@bull-board/api"
dependency-version: 6.21.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* chore(deps): bump @bull-board/koa to 6.21.3
Aligns koa adapter's nested @bull-board/api with the top-level 6.21.3
to fix a TS2322 error from divergent BaseAdapter types.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-04 21:10:44 -04:00
dependabot[bot]