

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 0 --><!--description LSBmaXg6IFBLQ0UgY2hhbGxlbmdlcyB0byBGb3JnZWpvJ3MgT0F1dGggaWRlbnRpdHkgcHJvdmlkZXIgd2VyZSBub3QgdmFsaWRhdGVkIHdoZW4gdXNpbmcgdGhlIGBTMjU2YCBhbGdvcml0aG0=-->fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 1 --><!--description LSBmaXg6IEZvcmdlam8gc3VwcG9ydHMgdXNpbmcgYW4gT0F1dGggQmVhcmVyIHRva2VuIHdpdGggSFRUUCBiYXNpYyBhdXRoZW50aWNhdGlvbiwgcmF0aGVyIHRoYW4gQmVhcmVyIHRva2VuIGF1dGhlbnRpY2F0aW9uLCBidXQgZGlkIG5vdCBwcm9wZXJseSBhcHBseSB0aGUgbGltaXRlZCBzY29wZXMgb2YgdGhlIE9BdXRoIGdyYW50-->fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 2 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYXR0YWNobWVudC1yZWxhdGVkIHdlYiBlbmRwb2ludHMgYWxsb3dlZCBtb2RpZnlpbmcgYXR0YWNobWVudHMgdGhhdCBhIHVzZXIgZGlkIG5vdCBvd24=-->fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 3 --><!--description LSBmaXg6IGVtYWlsIG5vdGlmaWNhdGlvbnMgZm9yIG5ldyByZWxlYXNlcyBjb3VsZCBiZSBzZW50IHRvIHVzZXJzIHRoYXQgbm8gbG9uZ2VyIGFjY2VzcyB0byB0aGUgcmVwb3NpdG9yeSwgb3IgdG8gaW5hY3RpdmUgdXNlcnM=-->fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 4 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gdXNlci9vcmctb3duZWQgcHJvamVjdHMgd291bGQgYWxsb3cgbW9kaWZpY2F0aW9ucyBvZiB0aGUgb3Blbi9jbG9zZWQgc3RhdGUgdG8gYmUgbWFkZSB0byBwcm9qZWN0cyB2aWEgaW5zZWN1cmUgZGlyZWN0IG9iamVjdCByZWZlcmVuY2Vz-->fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 5 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYSB3ZWIgZW5kcG9pbnQgYWxsb3dlZCBjYW5jZWxsYXRpb24gb2YgdGhlIGF1dG9tZXJnZSBvZiBhIFBS-->fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): <!--number 11514 --><!--line 6 --><!--description LSBmaXg6IHByZXZlbnQgYWRkaXRpb25hbCBwYXRoLXRyYXZlcnNhbHMgaW4gcG9zdC1sb2dpbiByZWRpcmVjdCBwYXJhbWV0ZXJzIHRoYXQgYWxsb3dlZCBmb3IgYXJiaXRyYXJ5IHJlZGlyZWN0cw==-->fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects<!--description-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11381) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11413)): <!--number 11413 --><!--line 0 --><!--description Zml4KHVpKTogaGFyZGNvZGUgc29ydCBvcHRpb25zIGluIHNlYXJjaCBzeW50YXggaGludCwgaW1wcm92ZSBsb29r-->fix(ui): hardcode sort options in search syntax hint, improve look<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11547) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11560)): <!--number 11560 --><!--line 0 --><!--description Zml4OiBtb2RhbHMgb24gc21hbGwgdmlld3BvcnQgaGVpZ2h0-->fix: modals on small viewport height<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11341) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11499)): <!--number 11499 --><!--line 0 --><!--description Zml4KHVpL21kZSk6IGlucHV0cyBpbiB0YWJsZS9saW5rIGluc2VydGlvbiBtb2RhbHM=-->fix(ui/mde): inputs in table/link insertion modals<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11287) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11327)): <!--number 11327 --><!--line 0 --><!--description Zml4KHVpKTogcHJldmVudCBsYWJlbCBvdmVyZmxvdyBpbiBQUiBDSSBjaGVja3Mgb24gbW9iaWxl-->fix(ui): prevent label overflow in PR CI checks on mobile<!--description-->
- Localization
  - Updates from Codeberg Translate: [#11535](https://codeberg.org/forgejo/forgejo/pulls/11535) (backport of [#10978](https://codeberg.org/forgejo/forgejo/pulls/10978), [#11344](https://codeberg.org/forgejo/forgejo/pulls/11344))
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11570): <!--number 11570 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgaGludF93aXRoX3BsYWNlaG9sZGVyIHRyYW5zbGF0aW9ucw==-->i18n: backport of hint_with_placeholder translations<!--description-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11393) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11557)): <!--number 11557 --><!--line 0 --><!--description Zml4OiBleHRlbmQgYmFzaWMgYXV0aCB0byAvdjIsIGFsd2F5cyBpbmNsdWRlIFdXVy1BdXRoZW50aWNhdGUgaGVhZGVyICgjMTEzOTMp-->fix: extend basic auth to /v2, always include WWW-Authenticate header (#11393)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): <!--number 11484 --><!--line 0 --><!--description cHJldmVudCBwYW5pYyB3aGVuIGltcG9ydGluZyBpc3N1ZXMgZnJvbSBHaXRMYWI=-->prevent panic when importing issues from GitLab<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): <!--number 11484 --><!--line 1 --><!--description cHJldmVudCBwYW5pYyB3aGVuIGltcG9ydGluZyByZWxlYXNlcyB3aXRoIG1vcmUgdGhhbiA0IHJlbGVhc2UgYXNzZXRzIGZyb20gR2l0TGFi-->prevent panic when importing releases with more than 4 release assets from GitLab<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): <!--number 11484 --><!--line 2 --><!--description Y29ycmVjdCByZS1tYXBwaW5nIG9mIG1lcmdlLXJlcXVlc3QgbnVtYmVycyBtZW50aW9uZWQgaW4gR2l0TGFiIGNvbW1lbnRz-->correct re-mapping of merge-request numbers mentioned in GitLab comments<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11246) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11254)): <!--number 11254 --><!--line 0 --><!--description Zml4OiBjbGVhbnVwIG9mIG11bHRpLXBsYXRmb3JtIGNvbnRhaW5lciBpbWFnZXM=-->fix: cleanup of multi-platform container images<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11164) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11166)): <!--number 11166 --><!--line 0 --><!--description Zml4OiB3aGVuIGV4cGFuZGluZyBhIGR5bmFtaWMgbWF0cml4LCBvcmlnaW5hbCAnbmVlZHMnIGFjY2VzcyB3YXMgbG9zdA==-->fix: when expanding a dynamic matrix, original 'needs' access was lost<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11179) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11220)): <!--number 11220 --><!--line 0 --><!--description Zml4OiBpbXByb3ZlIFNRTGl0ZSAiZGF0YWJhc2UgaXMgbG9ja2VkIiBlcnJvcnMgYnkgaW5jcmVhc2luZyBkZWZhdWx0IGBTUUxJVEVfVElNRU9VVGA=-->fix: improve SQLite "database is locked" errors by increasing default `SQLITE_TIMEOUT`<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10933) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11126)): <!--number 11126 --><!--line 0 --><!--description Zml4OiB1c2UgYW4gYWJzb2x1dGUgVVJMIGZvciBjb21wYXJlIGxpbmtzIGluIGF0b20gZmVlZA==-->fix: use an absolute URL for compare links in atom feed<!--description-->
- Included for completeness but not user-facing (chores, etc.)
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11581): <!--number 11581 --><!--line 0 --><!--description aTE4bjogcmV2ZXJ0IHpoLUNOIGNoYW5nZXMgaW4gMTQ1MmMzYWU3MCBhbmQgZjYwMmI1ZjVlZA==-->i18n: revert zh-CN changes in 1452c3ae70 and f602b5f5ed<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11335) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11555)): <!--number 11555 --><!--line 0 --><!--description Zml4OiBza2lwIHJlcG8gYXZhdGFyIHVwbG9hZCB3aGVuIG5vIGZpbGUgaXMgc2VsZWN0ZWQ=-->fix: skip repo avatar upload when no file is selected<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11168): <!--number 11168 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuNyAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.7 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11478) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11552)): <!--number 11552 --><!--line 0 --><!--description Zml4OiBSUE0gcmVnaXN0cnkgYWRkcmVwbyBpbnN0cnVjdGlvbnM=-->fix: RPM registry addrepo instructions<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11542) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11551)): <!--number 11551 --><!--line 0 --><!--description Y2hvcmU6IHNraXAgc2hhMjU2IHJlcG8gZm9yIG9sZGVyIGdpdCB2ZXJzaW9ucw==-->chore: skip sha256 repo for older git versions<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11525) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11528)): <!--number 11528 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBtb3JlIGRpYWdub3N0aWMgb3V0cHV0IHRvIGRiZnMgU3RhdCBlcnJvcg==-->chore: add more diagnostic output to dbfs Stat error<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11527): <!--number 11527 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOCAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.8 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11510): <!--number 11510 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc3ZnbyB0byB2NC4wLjEgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency svgo to v4.0.1 [SECURITY] (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11498): <!--number 11498 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vY2xvdWRmbGFyZS9jaXJjbCAoaW5kaXJlY3QpIHRvIHYxLjYuMyBbU0VDVVJJVFldICh2MTQuMC9mb3JnZWpvKQ==-->Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11475): <!--number 11475 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuNyAodjE0LjAvZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11415): <!--number 11415 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaW1hdGNoIHRvIHYxMC4yLjMgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency minimatch to v10.2.3 [SECURITY] (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11467): <!--number 11467 --><!--line 0 --><!--description Y2k6IGVuc3VyZSBjb3JyZWN0IG5vZGUgdmVyc2lvbg==-->ci: ensure correct node version<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11464): <!--number 11464 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLnN1cGVyc2VyaW91c2J1c2luZXNzLm9yZy9leGlmLXRlcm1pbmF0b3IgdG8gdjAuMTEuMSAodjE0LjAvZm9yZ2Vqbyk=-->Update module code.superseriousbusiness.org/exif-terminator to v0.11.1 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11412): <!--number 11412 --><!--line 0 --><!--description Y2hvcmU6IGJ1bXAgZ28tZ2l0L3Y1IGluZGlyZWN0IGRlcGVuZGVuY3kgZm9yIGdvdnVsbmNoZWNr-->chore: bump go-git/v5 indirect dependency for govulncheck<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11398): <!--number 11398 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDQuMSBbU0VDVVJJVFldICh2MTQuMC9mb3JnZWpvKQ==-->Update dependency webpack to v5.104.1 [SECURITY] (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11397): <!--number 11397 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWNoaS9jaGkvdjUgdG8gdjUuMi40IFtTRUNVUklUWV0gKHYxNC4wL2Zvcmdlam8p-->Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11245): <!--number 11245 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLXNxbGl0ZTMgdG8gdjEuMTQuMzQgKHYxNC4wL2Zvcmdlam8p-->Update module github.com/mattn/go-sqlite3 to v1.14.34 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11244): <!--number 11244 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNi40ICh2MTQuMC9mb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.6.4 (v14.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11145) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11148)): <!--number 11148 --><!--line 0 --><!--description Zml4OiBkb24ndCBhYmFuZG9uIEFjdGlvbiBqb2JzIHdhaXRpbmcgZm9yIGFwcHJvdmFs-->fix: don't abandon Action jobs waiting for approval<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11176) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11178)): <!--number 11178 --><!--line 0 --><!--description OiBlbnN1cmUgY29uc2lzdGVudCBzb3J0IG9yZGVyIGluIFRlc3RGZWVkIGZpeHR1cmU=-->: ensure consistent sort order in TestFeed fixture<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11134) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11135)): <!--number 11135 --><!--line 0 --><!--description Zml4OiBjYW5jZWwgcnVucyBwZW5kaW5nIGFwcHJvdmFsIHdoZW4gYSBQUiBpcyBjbG9zZWQ=-->fix: cancel runs pending approval when a PR is closed<!--description-->
<!--end release-notes-assistant-->