gitforge/services
Mathieu Fenniak 4b83448b7d 2026-06-10 security patches (#13001)
- fix: prevent stored XSS in user display name on Actions page
- fix: LFS locks must belong to the intended repo, port from Gitea
- fix: prevent unauthorized access to draft releases via API
- fix: prevent writes to OpenID visibility which may affect other users
- fix: prevent viewing private PRs that are linked to public issues on public projects

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13001
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
2026-06-10 06:05:01 +02:00
..
actions chore: re-enable nilnil lint for models/actions/task.go (#12768) 2026-06-05 01:38:23 +02:00
agit
asymkey fix: cleanup data before migration retry (#12370) 2026-05-05 12:41:42 +02:00
attachment
auth chore: add more error output for an invalid JWT key identifier (#12903) 2026-06-02 23:39:51 +02:00
authz feat: enable auth to git LFS via authorized integrations (#12725) 2026-05-28 23:20:58 +02:00
automerge fix: apply signed-merge checks by merge style (#11403) 2026-04-09 20:26:27 +02:00
context feat: in-browser validation of website URLs for user, repository, and organization profiles (#12991) 2026-06-08 17:35:15 +02:00
contexttest
convert feat(api,ui): add multiline comment on pullrequest (#12582) 2026-06-03 16:06:29 +02:00
cron fix: cleanup data before migration retry (#12370) 2026-05-05 12:41:42 +02:00
doctor fix(doctor): ensure the doctor runs with the same settings.AppPath as Forgejo (#12901) 2026-06-06 03:23:06 +02:00
externalaccount
f3
federation fix(activitypub): only return public activities on request (#12382) 2026-05-09 05:02:57 +02:00
feed
forgejo
forms feat: apply service.VALID_SITE_URL_SCHEMES to apply to repository and organization profiles (#12962) 2026-06-08 15:17:51 +02:00
gitdiff fix: relocate PR review comments using git blame --reverse, improving comment placement (#12015) 2026-04-11 21:45:39 +02:00
indexer
issue chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
lfs 2026-06-10 security patches (#13001) 2026-06-10 06:05:01 +02:00
mailer feat(api,ui): add multiline comment on pullrequest (#12582) 2026-06-03 16:06:29 +02:00
markup
migrations fix: do not migrate confidential issues and internal notes from Gitlab (#12735) 2026-05-28 20:45:24 +02:00
mirror fix: store pull mirror creds encrypted with keying (#11909) 2026-04-04 13:53:22 +02:00
moderation
notify
org
packages feat: adds option to force overwrite new branch for /contents route (#12663) 2026-06-06 16:45:57 +02:00
pull feat(api,ui): add multiline comment on pullrequest (#12582) 2026-06-03 16:06:29 +02:00
redirect
release
remote
repository feat: adds option to force overwrite new branch for /contents route (#12663) 2026-06-06 16:45:57 +02:00
secrets feat: allow renaming and replacing secrets (#11732) 2026-03-23 03:30:02 +01:00
shared/automerge
stats chore: upgrade to https://code.forgejo.org/xorm/xorm v1.4.0 (#12639) 2026-05-20 20:20:08 +02:00
task fix: cleanup data before migration retry (#12370) 2026-05-05 12:41:42 +02:00
uinotification
user fix: re-uploading the same avatar doesn't delete it (#12823) 2026-05-30 13:25:36 +02:00
webhook feat: Update Microsoft Teams webhook to use AdaptiveCard (#11704) 2026-05-26 16:10:55 +02:00
wiki feat: replace repo based server-side hooks with centralised hooks (#10397) 2026-04-27 22:34:46 +02:00