🐛 Fix negative border radius token

.github/workflows/plugins-deploy-package.yml

@@ -80,7 +80,7 @@ jobs:
       - name: "Build package for ${{ inputs.plugin_name }}-plugin"
         working-directory: plugins
         shell: bash
-        run: pnpm --filter ${{ inputs.plugin_name }}-plugin build
+        run: npx nx build ${{ inputs.plugin_name }}-plugin
 
       - name: Select Worker name
         run: |

.github/workflows/plugins-deploy-styles-doc.yml

@@ -78,7 +78,7 @@ jobs:
       - name: Build styles
         working-directory: plugins
         shell: bash
-        run: pnpm run build:styles-example
+        run: npx nx run example-styles:build
 
       - name: Select Worker name
         run: |

CHANGES.md

@@ -1,17 +1,12 @@
 # CHANGELOG
 
-## 2.13.3
-
-### :bug: Bugs fixed
-
-- Revert yetti (http server) update, because that caused a regression on multipart uploads
-
 
 ## 2.13.2
 
 ### :bug: Bugs fixed
 
-- Fix arbitrary file read security issue on create-font-variant rpc method (https://github.com/penpot/penpot/security/advisories/GHSA-xp3f-g8rq-9px2)
+- Fix security issue (Path Traversal Vulnerability) on fonts related RPC method
+- Fix allow creating negative border radius tokens [Taiga #13317](https://tree.taiga.io/project/penpot/issue/13317)
 
 
 ## 2.13.1

backend/deps.edn

@@ -28,8 +28,8 @@
   com.google.guava/guava {:mvn/version "33.4.8-jre"}
 
   funcool/yetti
-  {:git/tag "v11.8"
-   :git/sha "1d1b33f"
+  {:git/tag "v11.9"
+   :git/sha "5fad7a9"
    :git/url "https://github.com/funcool/yetti.git"
    :exclusions [org.slf4j/slf4j-api]}
 

docs/technical-guide/getting-started/index.md

@@ -8,7 +8,9 @@ desc: Customize your Penpot instance today. Learn how to install with Elestio, D
 This guide explains how to get your own Penpot instance, running on a machine you control,
 to test it, use it by you or your team, or even customize and extend it any way you like.
 
-For additional context, see the post <a href="https://penpot.app/blog/how-to-self-host-penpot/" target="_blank">How to self-host Penpot: A technical implementation guide</a> on the Penpot blog.
+If you need more context you can look at the <a
+href="https://community.penpot.app/t/self-hosting-penpot-i/2336" target="_blank">post
+about self-hosting</a> in Penpot community.
 
 <strong>The experience stays the same, whether you use
 Penpot <a href="https://design.penpot.app" target="_blank">in the cloud</a>

docs/technical-guide/getting-started/recommended-settings.md

@@ -14,7 +14,7 @@ Keep in mind that database size doesn't grow strictly proportionally with user c
 
 # About Valkey / Redis requirements
 
-Valkey is mainly used for coordinating websocket notifications and, since Penpot 2.11, as a cache. Therefore, disk storage will not be necessary as it will use the instance's RAM.
+"Valkey is mainly used for coordinating websocket notifications and, since Penpot 2.11, as a cache. Therefore, disk storage will not be necessary as it will use the instance's RAM.
 
 To prevent the cache from hogging all the system's RAM usage, it is recommended to use two configuration parameters which, both in the docker-compose.yaml provided by Penpot and in the official Helm Chart, come with default parameters that should be sufficient for most deployments:
 

frontend/src/app/main/ui/workspace/tokens/management/forms/border_radius.cljs

@@ -0,0 +1,48 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns app.main.ui.workspace.tokens.management.forms.border-radius
+  (:require
+   [app.common.data :as d]
+   [app.common.files.tokens :as cft]
+   [app.common.schema :as sm]
+   [app.common.types.token :as cto]
+   [app.main.ui.workspace.tokens.management.forms.generic-form :as generic]
+   [app.util.i18n :refer [tr]]
+   [rumext.v2 :as mf]))
+
+(defn- make-schema
+  [tokens-tree]
+  (sm/schema
+   [:and
+    [:map
+     [:name
+      [:and
+       [:string {:min 1 :max 255
+                 :error/fn #(str (:value %) (tr "workspace.tokens.token-name-length-validation-error"))}]
+       (sm/update-properties cto/token-name-ref assoc
+                             :error/fn #(str (:value %) (tr "workspace.tokens.token-name-validation-error")))
+       [:fn {:error/fn #(tr "workspace.tokens.token-name-duplication-validation-error" (:value %))}
+        #(not (cft/token-name-path-exists? % tokens-tree))]]]
+
+     [:value
+      [:and
+       [::sm/text]
+       [:fn {:error/fn #(tr "workspace.tokens.border-radius-token-value-error")}
+        (fn [value]
+          (let [n (d/parse-double value)]
+            (or (nil? n) (not (< n 0)))))]]]
+
+     [:description {:optional true}
+      [:string {:max 2048 :error/fn #(tr "errors.field-max-length" 2048)}]]]]))
+
+
+(mf/defc form*
+  [{:keys [token token-type] :rest props}]
+  (let [props (mf/spread-props props {:token token
+                                      :make-schema make-schema
+                                      :token-type token-type})]
+    [:> generic/form* props]))

frontend/src/app/main/ui/workspace/tokens/management/forms/controls/input.cljs

@@ -160,7 +160,8 @@
          (sd/resolve-tokens-interactive)
          (rx/mapcat
           (fn [resolved-tokens]
-            (let [{:keys [errors resolved-value] :as resolved-token} (get resolved-tokens (:name token))]
+            (let [{:keys [errors resolved-value] :as resolved-token} (get resolved-tokens (:name token))
+                  _ (prn "token" token)]
               (if resolved-value
                 (rx/of {:value resolved-value})
                 (rx/of {:error (first errors)}))))))))
@@ -230,9 +231,16 @@
                                         (do
                                           (swap! form assoc-in [:extra-errors input-name] {:message error})
                                           (reset! hint* {:message error :type "error"}))
-                                        (let [message (tr "workspace.tokens.resolved-value" value)]
-                                          (swap! form update :extra-errors dissoc input-name)
-                                          (reset! hint* {:message message :type "hint"}))))))))]
+                                        ;; This is needed because, SD allows to create br token with negative values
+                                        (if (and
+                                             (< value 0)
+                                             (= :border-radius (:type token)))
+                                          (do
+                                            (swap! form assoc-in [:extra-errors input-name] {:message (tr "workspace.tokens.border-radius-token-value-error")})
+                                            (reset! hint* {:message (tr "workspace.tokens.border-radius-token-value-error") :type "error"}))
+                                          (let [message (tr "workspace.tokens.resolved-value" value)]
+                                            (swap! form update :extra-errors dissoc input-name)
+                                            (reset! hint* {:message message :type "hint"})))))))))]
 
         (fn []
           (rx/dispose! subs))))

frontend/src/app/main/ui/workspace/tokens/management/forms/form_container.cljs

@@ -10,6 +10,7 @@
    [app.common.files.tokens :as cft]
    [app.common.types.tokens-lib :as ctob]
    [app.main.refs :as refs]
+   [app.main.ui.workspace.tokens.management.forms.border-radius :as border-radius]
    [app.main.ui.workspace.tokens.management.forms.color :as color]
    [app.main.ui.workspace.tokens.management.forms.font-family :as font-family]
    [app.main.ui.workspace.tokens.management.forms.generic-form :as generic]
@@ -50,4 +51,5 @@
       :text-case [:> generic/form* text-case-props]
       :text-decoration [:> generic/form* text-decoration-props]
       :font-weight [:> generic/form* font-weight-props]
+      :border-radius [:> border-radius/form* props]
       [:> generic/form* props])))

frontend/translations/en.po

@@ -8080,6 +8080,10 @@ msgstr "Blur value cannot be negative"
 msgid "workspace.tokens.shadow-token-spread-value-error"
 msgstr "Spread value cannot be negative"
 
+#: src/app/main/ui/workspace/tokens/management/forms/border_radius.cljs
+msgid "workspace.tokens.border-radius-token-value-error"
+msgstr "Border-radius value cannot be negative"
+
 #: src/app/main/ui/workspace/tokens/management/create/border_radius.cljs:42, src/app/main/ui/workspace/tokens/management/create/form.cljs:68
 msgid "workspace.tokens.token-name-length-validation-error"
 msgstr "Name should be at least 1 character"

frontend/translations/es.po

@@ -7976,6 +7976,10 @@ msgstr "El valor de blur no puede ser negativo"
 msgid "workspace.tokens.shadow-token-spread-value-error"
 msgstr "El valor de spread no puede ser negativo"
 
+#: src/app/main/ui/workspace/tokens/management/forms/border_radius.cljs
+msgid "workspace.tokens.border-radius-token-value-error"
+msgstr "El valor de Border radius no puede ser negativo"
+
 #: src/app/main/ui/workspace/tokens/management/create/border_radius.cljs:42, src/app/main/ui/workspace/tokens/management/create/form.cljs:68
 msgid "workspace.tokens.token-name-length-validation-error"
 msgstr "El nombre debería ser de al menos 1 caracter"