forgejo/release-notes-published/14.0.3.md

Release notes

• Security bug fixes
  • PR: fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the S256 algorithm
  • PR: fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
  • PR: fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
  • PR: fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
  • PR: fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
  • PR: fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
  • PR: fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects
• User Interface bug fixes
  • PR (backported): fix(ui): hardcode sort options in search syntax hint, improve look
  • PR (backported): fix: modals on small viewport height
  • PR (backported): fix(ui/mde): inputs in table/link insertion modals
  • PR (backported): fix(ui): prevent label overflow in PR CI checks on mobile
• Localization
  • Updates from Codeberg Translate: #11535 (backport of #10978, #11344)
  • PR: i18n: backport of hint_with_placeholder translations
• Bug fixes
  • PR (backported): fix: extend basic auth to /v2, always include WWW-Authenticate header (#11393)
  • PR (backported): prevent panic when importing issues from GitLab
  • PR (backported): prevent panic when importing releases with more than 4 release assets from GitLab
  • PR (backported): correct re-mapping of merge-request numbers mentioned in GitLab comments
  • PR (backported): fix: cleanup of multi-platform container images
  • PR (backported): fix: when expanding a dynamic matrix, original 'needs' access was lost
  • PR (backported): fix: improve SQLite "database is locked" errors by increasing default SQLITE_TIMEOUT
  • PR (backported): fix: use an absolute URL for compare links in atom feed
• Included for completeness but not user-facing (chores, etc.)
  • PR: i18n: revert zh-CN changes in 1452c3ae70 and f602b5f5ed
  • PR (backported): fix: skip repo avatar upload when no file is selected
  • PR: Update dependency go to v1.25.7 (v14.0/forgejo)
  • PR (backported): fix: RPM registry addrepo instructions
  • PR (backported): chore: skip sha256 repo for older git versions
  • PR (backported): chore: add more diagnostic output to dbfs Stat error
  • PR: Update dependency go to v1.25.8 (v14.0/forgejo)
  • PR: Update dependency svgo to v4.0.1 [SECURITY] (v14.0/forgejo)
  • PR: Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v14.0/forgejo)
  • PR: Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v14.0/forgejo)
  • PR: Update dependency minimatch to v10.2.3 [SECURITY] (v14.0/forgejo)
  • PR: ci: ensure correct node version
  • PR: Update module code.superseriousbusiness.org/exif-terminator to v0.11.1 (v14.0/forgejo)
  • PR: chore: bump go-git/v5 indirect dependency for govulncheck
  • PR: Update dependency webpack to v5.104.1 [SECURITY] (v14.0/forgejo)
  • PR: Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v14.0/forgejo)
  • PR: Update module github.com/mattn/go-sqlite3 to v1.14.34 (v14.0/forgejo)
  • PR: Update module code.forgejo.org/forgejo/runner/v12 to v12.6.4 (v14.0/forgejo)
  • PR (backported): fix: don't abandon Action jobs waiting for approval
  • PR (backported): : ensure consistent sort order in TestFeed fixture
  • PR (backported): fix: cancel runs pending approval when a PR is closed