v1.11.78

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/build_linux.yaml

@@ -112,14 +112,14 @@ jobs:
             - name: "Get modified files"
               id: changed_files
               if: steps.cache.outputs.cache-hit != 'true' && github.event_name == 'pull_request'
-              uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44
+              uses: tj-actions/changed-files@40853de9f8ce2d6cfdc73c1b96f14e22ba44aec4 # v45
               with:
                   files: |
                       dockerbuild/**
 
             # This allows contributors to test changes to the dockerbuild image within a pull request
             - name: Build docker image
-              uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6
+              uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6
               if: steps.changed_files.outputs.any_modified == 'true'
               with:
                   context: dockerbuild

.github/workflows/dockerbuild.yaml

@@ -23,7 +23,7 @@ jobs:
               uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3
+              uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
               with:
                   install: true
 
@@ -43,7 +43,7 @@ jobs:
                       type=ref,event=branch
 
             - name: Build and push Docker image
-              uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6
+              uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6
               with:
                   context: dockerbuild
                   push: true

CHANGELOG.md

@@ -1,3 +1,98 @@
+Changes in [1.11.78](https://github.com/element-hq/element-desktop/releases/tag/v1.11.78) (2024-09-24)
+======================================================================================================
+* No changes
+
+## ✨ Features
+
+* Add Release announcement for the pinning message list ([#46](https://github.com/element-hq/matrix-react-sdk/pull/46)). Contributed by @florianduros.
+* Unlabs feature pinning ([#22](https://github.com/element-hq/matrix-react-sdk/pull/22)). Contributed by @florianduros.
+* Add mobile registration ([#42](https://github.com/element-hq/matrix-react-sdk/pull/42)). Contributed by @langleyd.
+* Add support for `org.matrix.cross_signing_reset` UIA stage flow ([#34](https://github.com/element-hq/matrix-react-sdk/pull/34)). Contributed by @t3chguy.
+* Add timezone to user profile ([#20](https://github.com/element-hq/matrix-react-sdk/pull/20)). Contributed by @Half-Shot.
+* Add config option to force verification ([#29](https://github.com/element-hq/matrix-react-sdk/pull/29)). Contributed by @dbkr.
+* Reduce pinned message banner size ([#28](https://github.com/element-hq/matrix-react-sdk/pull/28)). Contributed by @florianduros.
+* Enable message pinning labs by default ([#25](https://github.com/element-hq/matrix-react-sdk/pull/25)). Contributed by @florianduros.
+* Remove release announcement of the new header ([#23](https://github.com/element-hq/matrix-react-sdk/pull/23)). Contributed by @florianduros.
+
+## 🐛 Bug Fixes
+
+* Fix timeout type ([#40](https://github.com/element-hq/matrix-react-sdk/pull/40)). Contributed by @dbkr.
+* Fix huge usage bandwidth and performance issue of pinned message banner. ([#37](https://github.com/element-hq/matrix-react-sdk/pull/37)). Contributed by @florianduros.
+* Reverse order of pinned message list ([#19](https://github.com/element-hq/matrix-react-sdk/pull/19)). Contributed by @florianduros.
+
+
+
+Changes in [1.11.77](https://github.com/element-hq/element-desktop/releases/tag/v1.11.77) (2024-09-10)
+======================================================================================================
+## Licensing
+
+matrix-react-sdk is being forked by Element at https://github.com/element-hq/matrix-react-sdk. Contributions are licensed to Element under a CLA and made available under an AGPLv3.0 or GPLv3.0 license at your choice.
+
+You can read more about this here:
+https://matrix.org/blog/2024/08/heart-of-matrix/
+https://element.io/blog/sustainable-licensing-at-element-with-agpl/ 
+
+The Matrix.org Foundation copy of the project will be archived. We don't expect any changes are needed by system administrators. Any updates will be communicated via our usual announcements channels and we are striving to make this as seamless as possible.
+
+## ✨ Features
+
+* Add docs for widget container height option ([#27922](https://github.com/element-hq/element-web/pull/27922)). Contributed by @dbkr.
+* Allow user to set timezone ([#12775](https://github.com/matrix-org/matrix-react-sdk/pull/12775)). Contributed by @Timshel.
+* Implement download\_file in widget driver ([#12931](https://github.com/matrix-org/matrix-react-sdk/pull/12931)). Contributed by @weeman1337.
+* Sort the pinning message list in the same order than the banner. By timeline order. ([#12937](https://github.com/matrix-org/matrix-react-sdk/pull/12937)). Contributed by @florianduros.
+* Display pinned messages on a banner at the top of a room ([#12917](https://github.com/matrix-org/matrix-react-sdk/pull/12917)). Contributed by @florianduros.
+* Add a config option to control the default widget container height ([#12893](https://github.com/matrix-org/matrix-react-sdk/pull/12893)). Contributed by @dbkr.
+* RTE drafts ([#12674](https://github.com/matrix-org/matrix-react-sdk/pull/12674)). Contributed by @langleyd.
+* Add thread information in pinned message list ([#12902](https://github.com/matrix-org/matrix-react-sdk/pull/12902)). Contributed by @florianduros.
+* Add Pin/Unpin action in quick access of the message action bar ([#12897](https://github.com/matrix-org/matrix-react-sdk/pull/12897)). Contributed by @florianduros.
+
+## 🐛 Bug Fixes
+
+* Fix read receipt animation ([#12923](https://github.com/matrix-org/matrix-react-sdk/pull/12923)). Contributed by @dbkr.
+* Display the indicator even with one message in pinned message banner ([#12946](https://github.com/matrix-org/matrix-react-sdk/pull/12946)). Contributed by @florianduros.
+* Always display last pinned message on the banner ([#12945](https://github.com/matrix-org/matrix-react-sdk/pull/12945)). Contributed by @florianduros.
+* The pinned message banner or list are triggering  🎉 effect. ([#12944](https://github.com/matrix-org/matrix-react-sdk/pull/12944)). Contributed by @florianduros.
+* Fix reply message truncation on 2 lines ([#12929](https://github.com/matrix-org/matrix-react-sdk/pull/12929)). Contributed by @florianduros.
+* Fix pin/unpin slowness and non refresh from the message action bar ([#12934](https://github.com/matrix-org/matrix-react-sdk/pull/12934)). Contributed by @florianduros.
+* Ignore desktop for minimum browser support. ([#12928](https://github.com/matrix-org/matrix-react-sdk/pull/12928)). Contributed by @florianduros.
+
+
+
+Changes in [1.11.76](https://github.com/element-hq/element-desktop/releases/tag/v1.11.76) (2024-08-27)
+======================================================================================================
+## ✨ Features
+
+* Message Pinning: rework the message pinning list in the right panel ([#12825](https://github.com/matrix-org/matrix-react-sdk/pull/12825)). Contributed by @florianduros.
+* Tweak UIA postMessage check to work cross-origin ([#12878](https://github.com/matrix-org/matrix-react-sdk/pull/12878)). Contributed by @t3chguy.
+* Delayed events (Futures) / MSC4140 for call widget ([#12714](https://github.com/matrix-org/matrix-react-sdk/pull/12714)). Contributed by @AndrewFerr.
+* Stop the ongoing ring if another device joins the call session. ([#12866](https://github.com/matrix-org/matrix-react-sdk/pull/12866)). Contributed by @toger5.
+* Rich text Editor: Auto-replace plain text emoticons with emoji ([#12828](https://github.com/matrix-org/matrix-react-sdk/pull/12828)). Contributed by @langleyd.
+* Clean up editor drafts for unknown rooms  ([#12850](https://github.com/matrix-org/matrix-react-sdk/pull/12850)). Contributed by @langleyd.
+* Rename general user settings to account ([#12841](https://github.com/matrix-org/matrix-react-sdk/pull/12841)). Contributed by @dbkr.
+* Update settings tab icons ([#12867](https://github.com/matrix-org/matrix-react-sdk/pull/12867)). Contributed by @dbkr.
+* Disable jump to read receipt button instead of hiding when nothing to jump to ([#12863](https://github.com/matrix-org/matrix-react-sdk/pull/12863)). Contributed by @t3chguy.
+
+## 🐛 Bug Fixes
+
+* Ensure elements on Login page are disabled when in-flight ([#12895](https://github.com/matrix-org/matrix-react-sdk/pull/12895)). Contributed by @t3chguy.
+* Hide pinned messages when grouped in timeline when feature pinning is disabled ([#12888](https://github.com/matrix-org/matrix-react-sdk/pull/12888)). Contributed by @florianduros.
+* Add chat button on new room header for maximised widgets ([#12882](https://github.com/matrix-org/matrix-react-sdk/pull/12882)). Contributed by @t3chguy.
+* Show spinner whilst initial search request is in progress ([#12883](https://github.com/matrix-org/matrix-react-sdk/pull/12883)). Contributed by @t3chguy.
+* Fix user menu font ([#12879](https://github.com/matrix-org/matrix-react-sdk/pull/12879)). Contributed by @florianduros.
+* Allow selecting text in the right panel topic ([#12870](https://github.com/matrix-org/matrix-react-sdk/pull/12870)). Contributed by @t3chguy.
+* Add missing presence indicator to new room header ([#12865](https://github.com/matrix-org/matrix-react-sdk/pull/12865)). Contributed by @t3chguy.
+* Fix permissions in release tarballs ([#27904](https://github.com/element-hq/element-web/pull/27904)). Contributed by @t3chguy.
+
+## 🧰 Maintenance
+
+* Update dependencies for MSC4157 ([#27906](https://github.com/element-hq/element-web/pull/27906)). Contributed by @AndrewFerr.
+
+
+Changes in [1.11.75](https://github.com/element-hq/element-desktop/releases/tag/v1.11.75) (2024-08-20)
+======================================================================================================
+# Security
+- Fixes for [CVE-2024-42369](https://nvd.nist.gov/vuln/detail/CVE-2024-42369) / [GHSA-vhr5-g3pm-49fm](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm).
+
 Changes in [1.11.74](https://github.com/element-hq/element-desktop/releases/tag/v1.11.74) (2024-08-13)
 ======================================================================================================
 ## ✨ Features

package.json

@@ -2,7 +2,7 @@
     "name": "element-desktop",
     "productName": "Element",
     "main": "lib/electron-main.js",
-    "version": "1.11.74",
+    "version": "1.11.78",
     "description": "A feature-rich client for Matrix.org",
     "author": "Element",
     "homepage": "https://element.io",
@@ -82,11 +82,11 @@
         "@electron/asar": "^3.2.3",
         "@electron/fuses": "^1.7.0",
         "@mapbox/node-pre-gyp": "^1.0.11",
-        "@playwright/test": "1.45.3",
+        "@playwright/test": "1.46.1",
         "@types/auto-launch": "^5.0.1",
         "@types/counterpart": "^0.18.1",
         "@types/minimist": "^1.2.1",
-        "@types/node": "18.19.41",
+        "@types/node": "18.19.45",
         "@types/pacote": "^11.1.1",
         "@types/tar": "^6.1.3",
         "@types/uuid": "^10.0.0",
@@ -105,7 +105,7 @@
         "eslint-config-prettier": "^9.0.0",
         "eslint-plugin-import": "^2.25.4",
         "eslint-plugin-matrix-org": "^1.0.0",
-        "eslint-plugin-unicorn": "^54.0.0",
+        "eslint-plugin-unicorn": "^55.0.0",
         "glob": "^11.0.0",
         "knip": "^5.0.0",
         "matrix-web-i18n": "^3.2.1",
@@ -122,7 +122,7 @@
         "keytar": "^7.9.0"
     },
     "resolutions": {
-        "@types/node": "18.19.41",
+        "@types/node": "18.19.45",
         "config-file-ts": "0.2.8-rc1"
     }
 }

playwright/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/playwright:v1.45.3-jammy
+FROM mcr.microsoft.com/playwright:v1.46.1-jammy
 
 WORKDIR /work/element-desktop
 

src/electron-main.ts

@@ -19,7 +19,7 @@ limitations under the License.
 
 // Squirrel on windows starts the app with various flags as hooks to tell us when we've been installed/uninstalled etc.
 import "./squirrelhooks";
-import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session, ipcMain } from "electron";
+import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session } from "electron";
 import * as Sentry from "@sentry/electron/main";
 import AutoLaunch from "auto-launch";
 import path from "path";
@@ -42,6 +42,7 @@ import { _t, AppLocalization } from "./language-helper";
 import { setDisplayMediaCallback } from "./displayMediaCallback";
 import { setupMacosTitleBar } from "./macos-titlebar";
 import { loadJsonFile } from "./utils";
+import { setupMediaAuth } from "./media-auth";
 
 const argv = minimist(process.argv, {
     alias: { help: "h" },
@@ -550,50 +551,7 @@ app.on("ready", async () => {
         setDisplayMediaCallback(callback);
     });
 
-    session.defaultSession.webRequest.onBeforeRequest((req, callback) => {
-        // This handler emulates the element-web service worker, where URLs are rewritten late in the request
-        // for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
-        // by the app using authenticated URLs from the outset.
-        let url = req.url;
-        if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
-            return callback({}); // not a URL we care about
-        }
-
-        // Check for feature support from the server. This requires asking the renderer process for supported
-        // versions.
-        ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
-            if (versionsResponse?.versions?.includes("v1.11")) {
-                url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
-                return callback({ redirectURL: url });
-            } else {
-                return callback({}); // no support == no modification
-            }
-        });
-        global.mainWindow!.webContents.send("serverSupportedVersions"); // ping now that the listener exists
-
-        // we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
-    });
-
-    session.defaultSession.webRequest.onBeforeSendHeaders((req, callback) => {
-        if (!req.url.includes("/_matrix/client/v1/media")) {
-            return callback({}); // invoke unmodified
-        }
-
-        // Only add authorization header to authenticated media URLs. This emulates the service worker
-        // behaviour in element-web.
-
-        // We need to get the access token from the renderer process to do that, though.
-        ipcMain.once("userAccessToken", (_, accessToken) => {
-            // `accessToken` can be falsy, but if we're trying to download media without authentication
-            // then we should expect failure anyway.
-            const headers = { ...req.requestHeaders };
-            headers["Authorization"] = `Bearer ${accessToken}`;
-            return callback({ requestHeaders: headers });
-        });
-        global.mainWindow!.webContents.send("userAccessToken");
-
-        // we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
-    });
+    setupMediaAuth(global.mainWindow);
 });
 
 app.on("window-all-closed", () => {

src/media-auth.ts

@@ -0,0 +1,80 @@
+/*
+Copyright 2024 New Vector Ltd
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { BrowserWindow, ipcMain, session } from "electron";
+
+/**
+ * Check for feature support from the server.
+ * This requires asking the renderer process for supported versions.
+ */
+async function getSupportedVersions(window: BrowserWindow): Promise<string[]> {
+    return new Promise((resolve) => {
+        ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
+            resolve(versionsResponse?.versions || []);
+        });
+        window.webContents.send("serverSupportedVersions"); // ping now that the listener exists
+    });
+}
+
+/**
+ * Get the access token for the user.
+ * This requires asking the renderer process for the access token.
+ */
+async function getAccessToken(window: BrowserWindow): Promise<string | undefined> {
+    return new Promise((resolve) => {
+        ipcMain.once("userAccessToken", (_, accessToken) => {
+            resolve(accessToken);
+        });
+        window.webContents.send("userAccessToken"); // ping now that the listener exists
+    });
+}
+
+export function setupMediaAuth(window: BrowserWindow): void {
+    session.defaultSession.webRequest.onBeforeRequest(async (req, callback) => {
+        // This handler emulates the element-web service worker, where URLs are rewritten late in the request
+        // for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
+        // by the app using authenticated URLs from the outset.
+        let url = req.url;
+        if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
+            return callback({}); // not a URL we care about
+        }
+
+        const supportedVersions = await getSupportedVersions(window);
+        // We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
+        // e.g. those required for SSO button icons.
+        const accessToken = await getAccessToken(window);
+        if (supportedVersions.includes("v1.11") && accessToken) {
+            url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
+            return callback({ redirectURL: url });
+        } else {
+            return callback({}); // no support == no modification
+        }
+    });
+
+    session.defaultSession.webRequest.onBeforeSendHeaders(async (req, callback) => {
+        if (!req.url.includes("/_matrix/client/v1/media")) {
+            return callback({}); // invoke unmodified
+        }
+
+        // Only add authorization header to authenticated media URLs. This emulates the service worker
+        // behaviour in element-web.
+        const accessToken = await getAccessToken(window);
+        // `accessToken` can be falsy, but if we're trying to download media without authentication
+        // then we should expect failure anyway.
+        const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
+        return callback({ requestHeaders: headers });
+    });
+}