mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-14 10:34:06 +02:00
19982d7207d1301d1851b0b4b78f1ef51729ab58
5136
Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
19982d7207 |
build(deps): bump actions/ai-inference from 2.0.7 to 2.1.0 (#6415)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
cdfefb02bc |
build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#6421)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
5ba6a65c1a |
build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3 (#6422)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
017c8d59fa |
feat(ai): add Contradiction Agent on a new ChunkedMapper primitive (#6369)
## Summary Adds a new AI specialist that finds **textual contradictions** across one or more PDFs — conflicting claims, recommendations, points of view, contested facts — built entirely in Python on top of the new `DocumentService` + `ChunkedReasoner` stack from #6314. Replaces the closed #6304, which was started before #6314 landed and therefore over-engineered (Java orchestrator, two-round handshake, resume artifact, discriminated-union lift). Two commits: 1. **`refactor(engine): extract ChunkedMapper[T] from ChunkedReasoner`** — pure refactor, public API of ChunkedReasoner unchanged. New `ChunkedMapper[T: BaseModel]` is a generic parallel-chunk primitive (slicing, semaphore, time-bounded extraction, cancellation drain, progress events) that's now a peer to ChunkedReasoner rather than locked inside it. The compression loop stays on ChunkedReasoner where it belongs. 2. **`feat(ai): add Contradiction Agent on ChunkedMapper`** — the agent itself, plus integrations into `PdfReviewAgent` and `PdfQuestionAgent`. ## Architecture - **Python-only.** No Java code. No `AgentToolId.CONTRADICTION_AGENT`. No dedicated HTTP endpoint. No resume artifact, no discriminated-union lift in `contracts/common.py`. Detector runs inside the Python engine and the Python engine alone. - **Review path** (`PdfReviewAgent`): a new `ContradictionIntentClassifier` fires on contradiction-flavoured prompts; agent runs detection synchronously and emits a single `EditPlanResponse(steps=[ADD_COMMENTS])`. Single-turn flow — no resume. - **Question path** (`PdfQuestionAgent`): a new `ContradictionCapability` joins `RagCapability` and `WholeDocReaderCapability` in the smart-model toolset, exposing `find_contradictions(query)`. The smart model picks it from the toolset alongside `search_knowledge` and `read_full_document`. ## Inside `ContradictionDetector.detect()` 1. `DocumentService.read_pages(file_id)` → ordered `list[Page]`. 2. `ChunkedMapper[_ExtractedClaims].map_pages(...)` — char-budgeted multi-page slicing; each slice runs the claim-extractor LLM in parallel under a semaphore. 3. Page-traceability: the extractor returns `_ExtractedClaim.page` (which `[Page N]` marker the claim came from). The wrapper validates `page ∈ chunk.pages`; if not, mechanical fallback searches the chunk's page text for the verbatim quote and reassigns. If still no match, drop the claim. 4. `Claim.anchor_quality: Literal[\"verbatim\", \"paraphrased\"]` is set by a substring check against the declared page's text. Verbatim quotes feed `anchor_text` for snap-to-quote add-comments placement; paraphrased ones fall back to margin geometry. 5. Subject canonicalisation: ONE fast-model LLM call collapses synonyms across the document. Fails open to lexical bucketing. 6. Pre-filters: drop identical-quote pairs; drop same-page same-polarity paraphrases. 7. Per-bucket pair detection in parallel (separate semaphore, cap 5). Buckets > 12 claims chunk into windows of 12 with overlap 2; pairs deduped across overlapping windows by frozen `(i, j)` index pair. 8. Summary fast-model call with fallback string on error. ## Prompt-injection hardening Every prompt that interpolates user-supplied or PDF-extracted text wraps content in `<user_message>` / `<verdict>` / `<content>` tags with an explicit SECURITY preamble instructing the model to treat tagged content as data only. ## Limitations - **Combined math + contradiction intent**: when both intent classifiers fire on the same prompt, contradiction takes precedence and the math intent is silently dropped. Documented in the Review module docstring and pinned by `test_review_integration.py::test_contradiction_precedence_over_math`. - **Cross-window contradiction reach**: within a subject bucket, pairs more than ~10 claim indices apart in the same chunked window may be missed by the overlap-2 strategy. Documented in `test_detector.py`. Acceptable for v1. ## Settings (engine/src/stirling/config/settings.py) ```python contradiction_detect_concurrency = 5 # per-bucket detector semaphore contradiction_bucket_chunk_size = 12 # max claims per detector call contradiction_bucket_chunk_overlap = 2 # overlap for >threshold buckets ``` `chars_per_slice` and extraction concurrency are reused from the existing `chunked_reasoner_*` settings. ## Test plan - [x] `uv run pytest tests/ -v` — **245/245 pass** (210 pre-existing + 35 new) - [x] `uv run ruff check src/ tests/` — clean - [x] `uv run pyright src/stirling/agents/contradiction/ src/stirling/contracts/contradiction.py` — 0 errors - [x] `./gradlew :proprietary:test` — green; no Java was touched, but verified untouched - [x] Page-traceability tests cover: valid page kept, hallucinated page dropped, mechanical-reassign on misattribution, anchor-quality verbatim vs paraphrased - [x] Review integration: ADD_COMMENTS plan with two paired CommentSpecs per contradiction; NeedIngestResponse precheck; precedence vs math intent pinned - [x] Question integration: all three capabilities wired into smart-model toolset; `find_contradictions` returns formatted report text - [x] ChunkedMapper standalone: slicing, multi-chunk ordering, worker failures, timeouts, cancellation drain, semaphore saturation - [x] ChunkedReasoner regression: all pre-existing tests pass unchanged after the internal split ## Relationship to closed #6304 #6304 was closed in favour of this PR. The closed PR predated #6314 and modelled the agent as a Java-orchestrated two-round examine/deliberate flow with its own HTTP endpoint and a discriminated-union resume artifact. With #6314 making full ordered page text available to the engine via `DocumentService.read_pages`, none of that is needed. Net effect: drop ~600 lines of Java, drop the two-round handshake, drop the `ToolReportArtifact` lift, while ending up with a more scalable agent (chunk-based instead of page-based extraction; tested to ChunkedReasoner-equivalent scale). |
||
|
|
0a50e765b7 |
Restructure/frontend editor (#6404)
## Move editor under `frontend/editor/`
Pure restructure: `frontend/` becomes the workspace, `frontend/editor/`
holds
the PDF editor. 1775 file renames + 40 wiring edits. No logic changes.
### Why
`frontend/` is currently the editor — its `src/`, `public/`,
`src-tauri/`,
config files all sit at the root. Promoting `frontend/` to a
workspace and putting the editor in a sibling folder leaves room for
future
apps to drop in alongside it, sharing one `package.json` /
`node_modules` /
lint config / Storybook.
### What moves
frontend/
├── editor/ ← NEW: everything editor-specific
│ ├── src/ ← was frontend/src/
│ ├── public/ ← was frontend/public/
│ ├── src-tauri/ ← was frontend/src-tauri/
│ ├── index.html, vite.config.ts, vitest.config.ts, playwright.config.ts
│ ├── tsconfig*.json, tailwind.config.js, postcss.config.js
│ ├── scripts/
│ ├── .env, .env.desktop, .env.saas
│ └── DeveloperGuide.md
├── package.json, package-lock.json, node_modules/ ← workspace install
├── eslint.config.mjs, .prettierrc, .prettierignore ← shared tooling
├── .gitignore
└── README.md
### Wiring edits (40 files)
- `.taskfiles/frontend.yml`, `desktop.yml`, `e2e.yml`
- `build.gradle`, `app/core/build.gradle`
- `eslint.config.mjs`, `frontend/package.json`, `.gitignore`,
`.prettierignore`
- `docker/frontend/Dockerfile`
- 8 `.github/workflows/*.yml`, plus `.github/dependabot.yml`,
`.github/config/.files.yaml`, `.github/labeler-config-srvaroa.yml`
- `scripts/translations/**`
- Docs: `AGENTS.md`, `CLAUDE.md`, `ADDING_TOOLS.md`,
`DeveloperGuide.md`,
`WINDOWS_SIGNING.md`, `devGuide/HowToAddNewLanguage.md`,
`frontend/README.md`,
`frontend/editor/DeveloperGuide.md`
Plus 3 renamed + edited: `editor/vite.config.ts` (env path +
node_modules
walk-up), `editor/scripts/setup-env.mts` (renamed from `.ts` for
`import.meta.url`), `editor/scripts/build-provisioner.mjs` (resolve
src-tauri
relative to script).
### Verification
| Check | Result |
|---|---|
| `task frontend:typecheck:all` (6 variants) | exit 0 |
| `task frontend:lint` (eslint + dpdm) | exit 0 |
| `task frontend:format:check` | exit 0 |
| `task frontend:test` | 657 tests pass, 50 files |
| `task frontend:build:{core,proprietary,saas,desktop,prototypes}` | all
green |
| `task desktop:build` | full Tauri pipeline →
`Stirling-PDF_2.11.0_x64_en-US.msi` |
| `playwright test --list --project=stubbed` | 172 tests discovered |
`task desktop:build` exercises the heaviest path — Rust + WiX + MSI
bundle
against the moved `editor/src-tauri/`. If anything in the restructure
was
wrong it wouldn't have built.
### Test plan
- [ ] `frontend-validation.yml` green
- [ ] `e2e-stubbed.yml` green
- [ ] `tauri-build.yml` green on at least one platform
- [ ] `check_toml.yml` runs on a translation-touching PR
---------
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
|
||
|
|
48027ee9d6 | JDK25 - Integrate Stirling-Tools JPDFium for PDF operations (#6387) | ||
|
|
22d56bb1fb |
test Depot runners for team commits (#6394)
Co-authored-by: ConnorYoh <[email protected]> |
||
|
|
9d081d1792 |
SaaS Consolidation (#6384)
Co-authored-by: ConnorYoh <[email protected]> |
||
|
|
089de247b4 |
Updated Spanish translation (#6309)
Co-authored-by: Copilot <[email protected]> Co-authored-by: Ludy <[email protected]> Co-authored-by: Anthony Stirling <[email protected]> |
||
|
|
0c3a512b21 |
build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 (#6346)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
707cfa3140 |
build(deps): bump devalue from 5.6.4 to 5.8.1 in /frontend (#6367)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
ea91a35518 |
build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#6375)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
5a5aada2d8 |
build(deps): bump pypdf from 6.10.2 to 6.11.0 in /testing/cucumber (#6376)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
a4ef70eaf8 |
build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#6377)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
d76d25654a |
build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#6378)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
31b00b7d06 |
build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#6379)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
f00c12ad8a |
build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#6380)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
1f5c046362 |
build(deps): bump tokio from 1.49.0 to 1.50.0 in /frontend/src-tauri in the tokio group across 1 directory (#6296)
Bumps the tokio group with 1 update in the /frontend/src-tauri directory: [tokio](https://github.com/tokio-rs/tokio). Updates `tokio` from 1.49.0 to 1.50.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/tokio/releases">tokio's releases</a>.</em></p> <blockquote> <h2>Tokio v1.50.0</h2> <h1>1.50.0 (Mar 3rd, 2026)</h1> <h3>Added</h3> <ul> <li>net: add <code>TcpStream::set_zero_linger</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7837">#7837</a>)</li> <li>rt: add <code>is_rt_shutdown_err</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7771">#7771</a>)</li> </ul> <h3>Changed</h3> <ul> <li>io: add optimizer hint that <code>memchr</code> returns in-bounds pointer (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7792">#7792</a>)</li> <li>io: implement vectored writes for <code>write_buf</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7871">#7871</a>)</li> <li>runtime: panic when <code>event_interval</code> is set to 0 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7838">#7838</a>)</li> <li>runtime: shorten default thread name to fit in Linux limit (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7880">#7880</a>)</li> <li>signal: remember the result of <code>SetConsoleCtrlHandler</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7833">#7833</a>)</li> <li>signal: specialize windows <code>Registry</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7885">#7885</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>io: always cleanup <code>AsyncFd</code> registration list on deregister (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7773">#7773</a>)</li> <li>macros: remove (most) local <code>use</code> declarations in <code>tokio::select!</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7929">#7929</a>)</li> <li>net: fix <code>GET_BUF_SIZE</code> constant for <code>target_os = "android"</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7889">#7889</a>)</li> <li>runtime: avoid redundant unpark in current_thread scheduler (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7834">#7834</a>)</li> <li>runtime: don't park in <code>current_thread</code> if <code>before_park</code> defers waker (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7835">#7835</a>)</li> <li>io: fix write readiness on ESP32 on short writes (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7872">#7872</a>)</li> <li>runtime: wake deferred tasks before entering <code>block_in_place</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7879">#7879</a>)</li> <li>sync: drop rx waker when oneshot receiver is dropped (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7886">#7886</a>)</li> <li>runtime: fix double increment of <code>num_idle_threads</code> on shutdown (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7910">#7910</a>, <a href="https://redirect.github.com/tokio-rs/tokio/issues/7918">#7918</a>, <a href="https://redirect.github.com/tokio-rs/tokio/issues/7922">#7922</a>)</li> </ul> <h3>Unstable</h3> <ul> <li>fs: check for io-uring opcode support (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7815">#7815</a>)</li> <li>runtime: avoid lock acquisition after uring init (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7850">#7850</a>)</li> </ul> <h3>Documented</h3> <ul> <li>docs: update outdated unstable features section (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7839">#7839</a>)</li> <li>io: clarify the behavior of <code>AsyncWriteExt::shutdown()</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7908">#7908</a>)</li> <li>io: explain how to flush stdout/stderr (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7904">#7904</a>)</li> <li>io: fix incorrect and confusing <code>AsyncWrite</code> documentation (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7875">#7875</a>)</li> <li>rt: clarify the documentation of <code>Runtime::spawn</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7803">#7803</a>)</li> <li>rt: fix missing quotation in docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7925">#7925</a>)</li> <li>runtime: correct the default thread name in docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7896">#7896</a>)</li> <li>runtime: fix <code>event_interval</code> doc (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7932">#7932</a>)</li> <li>sync: clarify RwLock fairness documentation (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7919">#7919</a>)</li> <li>sync: clarify that <code>recv</code> returns <code>None</code> once closed and no more messages (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7920">#7920</a>)</li> <li>task: clarify when to use <code>spawn_blocking</code> vs dedicated threads (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7923">#7923</a>)</li> <li>task: doc that task drops before <code>JoinHandle</code> completion (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7825">#7825</a>)</li> <li>signal: guarantee that listeners never return <code>None</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7869">#7869</a>)</li> <li>task: fix task module feature flags in docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7891">#7891</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tokio-rs/tokio/commit/0273e45ead199dac7725faee1e3dc35a9c8753ab"><code>0273e45</code></a> chore: prepare Tokio v1.50.0 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7934">#7934</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/e3ee4e58dc9bb7accf26dfd51b0a2146922b5269"><code>e3ee4e5</code></a> chore: prepare tokio-macros v2.6.1 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7943">#7943</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/8c980ea75a0f8dd2799403777db700c2e8f4cda4"><code>8c980ea</code></a> io: add <code>write_all_vectored</code> to <code>tokio-util</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7768">#7768</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/e35fd6d6b7d9a8ba37ee621835ef91372c2565cb"><code>e35fd6d</code></a> ci: fix patch during clippy step (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7935">#7935</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/03fe44c10302fdb55c29dbe5b08d4f8769c80272"><code>03fe44c</code></a> runtime: fix <code>event_interval</code> doc (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7932">#7932</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/d18e5dfbb0cdc28725bebb28cde80a6c11ee32bc"><code>d18e5df</code></a> io: fix race in <code>Mock::poll_write</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7882">#7882</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/f21f2693f02aec9a876ac2bd21566c85e15b682e"><code>f21f269</code></a> runtime: fix race condition during the blocking pool shutdown (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7922">#7922</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/d81e8f0acbdd7d866bce4f733b3545fd834c7840"><code>d81e8f0</code></a> macros: remove (most) local <code>use</code> declarations in <code>tokio::select!</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7929">#7929</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/25e7f2641ef2555d688c267059431a2802805f1d"><code>25e7f26</code></a> rt: fix missing quotation in docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7925">#7925</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/e1a91ef114a301b542d810abab9956f2868861b9"><code>e1a91ef</code></a> util: fix typo in docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7926">#7926</a>)</li> <li>Additional commits viewable in <a href="https://github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1787443102 |
build(deps): bump fast-uri from 3.0.6 to 3.1.2 in /devTools (#6332)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
8fb281525b |
build(deps): bump quinn-proto from 0.11.13 to 0.11.14 in /frontend/src-tauri (#6322)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
4c3be4992f | deps: align Bouncy Castle modules to shared version property (#6362) | ||
|
|
2790467241 |
build(deps): bump urllib3 from 2.6.3 to 2.7.0 in /testing/cucumber in the pip group across 1 directory (#6352)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
dd770dfa76 |
build(deps): bump rustls-webpki from 0.103.9 to 0.103.13 in /frontend/src-tauri (#6323)
Signed-off-by: dependabot[bot] <[email protected]> |
||
|
|
b146d9994d |
fix(task): make task dev / task dev:all work on Windows (#6392)
## Summary
`#6145` (port picker) and `#6244` (gradle unification) combined to break
`task dev` / `task dev:all` on Windows. Two independent regressions,
both addressed here.
### 1. `find-free-port.ps1` panic (`#6145`)
```
$ task --dry dev
The argument 'scriptsfind-free-port.ps1' to the -File parameter does not exist.
panic: ended up with a non-nil exitStatus.err but a zero exitStatus.code
```
- **Backslash stripped.** `Taskfile.yml` had
`scripts\find-free-port.ps1`. go-task pipes the `sh:` block through
mvdan/sh, which treats `\` as a POSIX escape and silently drops it,
leaving `scriptsfind-free-port.ps1`. PowerShell can't find the file,
exits non-zero, mvdan/sh panics on the inconsistent exit status.
Switched to a forward slash.
- **`-Preferred 8080,5173` is brittle.** Relies on PowerShell parsing
the comma-list into `[int[]]`. Dropped the named flag; switched the
script's `param` to `[Parameter(ValueFromRemainingArguments =
$true)][int[]]$Preferred`; pass each port as its own positional token
(matching how the bash variant is called).
### 2. `bash gradlew` can't find Java on Windows (`#6244`)
```
[backend:dev] ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
```
`#6244` unified all gradle invocations under `bash gradlew` on the
assumption that Git-Bash inherits Windows-side env. It doesn't (and
neither does WSL bash, which can also shadow `bash` on a developer's
PATH). The standard Adoptium/Temurin installer sets `JAVA_HOME` in the
Windows env only, so `bash gradlew` fails before Spring Boot even loads.
Restored the per-platform branch for every backend task: `cmd /c
".\gradlew.bat ..."` on Windows, `./gradlew ...` on Linux/macOS. Two
Windows-specific gotchas to be aware of for future edits:
- mvdan/sh strips `\` outside of double quotes, so `cmd /c
.\gradlew.bat` ends up as `.gradlew.bat`. The entire payload must be
wrapped in double quotes (`cmd /c "..."`).
- Modern Windows excludes cwd from cmd.exe's search path, so the leading
`.\` is required — bare `cmd /c gradlew.bat` errors with "is not
recognized" even from the repo root.
## Test plan
- [x] `task --dry dev` / `task --dry dev:all` on Windows resolve ports
cleanly and dispatch the inner tasks
- [x] `powershell -NoProfile -File scripts/find-free-port.ps1 8080 5173
5001` prints three ports
- [x] `task backend:dev PORT=8081` on Windows starts Spring Boot in ~9s;
`/api/v1/info/status` returns `{"status":"UP"}`
- [x] `task dev:all` on Windows brings up all three services healthy:
backend `/api/v1/info/status` 200, engine `/health` 200, frontend `/`
200
- [ ] Linux / macOS path unaffected (only the Windows branches changed
in behaviour)
|
||
|
|
2399da6893 |
migrate exportUpdatedPages from bytes to stream (#6201)
Co-authored-by: ConnorYoh <[email protected]> |
||
|
|
2c15044dfa | Snag/disable logo drag (#6393) | ||
|
|
31f6ea4b25 |
perf(frontend): stabilize hot-path context subscriptions to fix excessive rerenders (#6373)
## Summary
The frontend was rerendering excessively across many interactions —
typing, clicking tools, opening modals, toggling the sidebar — because
**multiple compounding ref-instability cascades defeated `memo()` checks
in hot paths**. This PR fixes the cascades structurally.
Seven focused commits, low-to-high blast radius:
1. `perf(contexts): memoize BannerContext provider value`
2. `perf(contexts): memoize CommentAuthor and ActiveDocument provider
values`
3. `perf(contexts): memoize AppConfigContext provider value`
4. `perf(useToolManagement): stop spreading tool entries to keep refs
stable` — **root-cause fix**
5. `refactor(ToolPicker): hoist module-scope styles and helpers`
6. `feat(ToolWorkflowContext): add ref-stable Actions and Data subset
contexts` — additive
7. `perf(tools): migrate hot consumers to slim contexts and wrap in
memo()`
(Plus `style: apply prettier formatting` for CI.)
## What was wrong
Whenever something high-up in the tree caused a render, a chain of
unstable references propagated downward and forced every `ToolButton` to
re-execute its full body (hooks, derived computations, hook
subscriptions to other contexts). The chain:
- **4 unstable Context providers** (`Banner`, `CommentAuthor`,
`ActiveDocument`, `AppConfig`) were passing fresh `value={{ … }}`
objects on every render. Every consumer rerendered on every ancestor
render.
- **`useToolManagement.toolRegistry`** spread `{...baseTool, name,
description}` — a no-op spread that manufactured a new tool object
identity on every memo recompute.
- **The big `ToolWorkflowContext`** (25+ fields including
`state.searchQuery`) rebuilt its entire value on every
keystroke/click/toggle, forcing every `useToolWorkflow()` consumer (~36
files) to rerender.
- **`useToolNavigation`** transitively subscribed every `ToolButton` to
the full workflow context.
- **`ToolButton` & `ToolPicker`** weren't `memo()`-wrapped, so nothing
checked.
- **`ToolPanel`** passed inline `onSelect={(id) =>
handleToolSelect(...)}` — fresh ref every render, defeats child
memoization.
- **`ToolPicker`** allocated inline styles / `[]` / `toTitleCase` inside
the function body — churned `useToolSections`'s internal memo.
## Interaction matrix — what improves
The PR fixes the underlying ref-stability problem; the same fix benefits
*every* interaction that previously triggered the cascade:
| Interaction | Before | After |
|---|---|---|
| **Typing in tool search** | All visible buttons rerender per keystroke
| Only buttons whose matched-text changes rerender |
| **Clicking a tool** | All 36 `useToolWorkflow()` consumers rerender |
Only previously-selected and newly-selected buttons rerender (via
`isSelected` prop) |
| **Toggling sidebar / panel mode / reader mode** | Every tool button
rerenders | Tool components stay still (slim context doesn't see UI
state) |
| **Switching workbench / navigation** | `handleToolSelect` identity
changes → cascades through `onSelect` props | Ref-stabilized in Actions
context. Identity stable. Children's memo bails |
| **Modal/dialog open/close** | AppConfig churns → every `useAppConfig`
consumer rerenders (ToolButton reads `premiumEnabled`) | AppConfig
memoized; consumers rerender only when config changes |
| **Banner show/hide** | BannerProvider value churns → every consumer
rerenders on any ancestor render | Memoized; AppLayout rerenders only
when banner content changes |
| **Any state update high in the tree** | Compounding cascade defeats
memo everywhere | Stable subscriptions; memo bails out |
## Evidence
Per-keystroke prop instability on `ToolButton` (cleanest measurable
signal, captured via custom memo comparators logging which prop refs
differ):
| | `tool` ref diffs | `onSelect` ref diffs | `matchedSynonym` value
diffs | Total |
|---|---|---|---|---|
| Before | 18 | 18 | 6 | **42** |
| After | 0 | 0 | 6 | **6 (all legitimate)** |
→ **86% reduction** in spurious per-keystroke prop instability. The 6
remaining matched-synonym diffs are correct (different substring
highlighted per keystroke).
Context value rebuild counts during a keystroke (verified with
instrumented `useMemo` factories): `useToolWorkflowData=0`,
`useToolWorkflowActions=0`, `AppConfigContext=0`.
The same stabilization applies to click/toggle/modal interactions — they
were all driven by the same cascading invalidations.
## Honest caveat on render-count metrics
`React.Profiler` counts and function-body execution counts in **dev
mode** came back identical before vs after (StrictMode + concurrent
rendering + Mantine internal commits dominate the numbers). The PR's
value is measured against the **prop-stability signal** above, not
Profiler counts. Production builds — where StrictMode doesn't
double-render and Mantine internals aren't constantly committing — will
show memo bail out properly.
## Risk × benefit
| # | Commit | Risk | Benefit |
|---|--------|------|---------|
| 1 | BannerContext memo | ⬛ Trivial | 🟦 Small |
| 2 | CommentAuthor + ActiveDocument memo | ⬛ Trivial | 🟦 Small |
| 3 | AppConfig memo | ⬛ Trivial | 🟦 Moderate (wide consumer base) |
| 4 | useToolManagement spread removal | ⬛ Trivial | 🟥 **High (root
cause)** |
| 5 | ToolPicker hoist | ⬛ Trivial | 🟦 Small |
| 6 | ToolWorkflowContext split | 🟧 Low-Med | 🟥 **High (foundation)** |
| 7 | Hot consumer migration + memo | 🟧 Low-Med | 🟥 **High
(actualization)** |
Commit 6 introduces an invariant: ref-stabilized callbacks in the
Actions context must only be invoked from event handlers (post-commit),
never during render. All current call sites comply.
## Test plan
- [x] `npx playwright test --project=stubbed` — 145 / 6 skipped / 0
failed before and after.
- [x] Targeted regression: `main-dashboard`, `tool-search`, `navigation`
— 11/11 passing.
- [x] CI passing on commits (one infrastructure flake on
`docker-compose-tests` — "No space left on device" — unrelated;
rerunning).
- [ ] Manual sanity check in a dev build after merge.
## What this enables
The same Actions + Data subset-context pattern can be applied to
`FileContext`, `NavigationContext`, and other big contexts. The
foundation is in place.
|
||
|
|
f9fbc37800 | add translations (#6390) | ||
|
|
6b9567cf38 |
Split and delete forms (#6277)
Delete orphaned forms when removing pages and maintain forms correctly when splitting --------- Co-authored-by: ConnorYoh <[email protected]> |
||
|
|
c731d5fd5d |
UI redesign staging (#6149)
Co-authored-by: Reece Browne <[email protected]> Co-authored-by: James Brunton <[email protected]> |
||
|
|
beb99e273b |
Improve edit agent's knowledge of tools (#6356)
# Description of Changes Give Edit Agent access to descriptions of the request from the Java API. This opens the door to us better documenting our Java APIs to give the stirling engine better knowledge of what the various tools are and how to use them. Also improves the tool selection sub-agent to get the tool parameters and descriptions so it can more intelligently decide which operations should be used to fulfil the user's request. Also provides it more encouragement to string together multiple operations if necessary. |
||
|
|
ece1bb6865 |
Feature/pdf to markdown agent (#6271)
Co-authored-by: James Brunton <[email protected]> |
||
|
|
5b9ef852ab |
ci: remove frontend validation PR comment after successful check (#6360)
# Description of Changes - Added a GitHub Actions step to remove the frontend validation check comment when the frontend check succeeds on pull requests. - The step searches for an existing PR comment containing the `<!-- frontend-check -->` marker and deletes it if found. - The change was made to keep pull request discussions clean by removing stale frontend check comments once the validation passes. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have run `task check` to verify linters, typechecks, and tests pass - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#7-testing) for more details. |
||
|
|
672e81d286 |
Add ability for Stirling engine to reason across large documents (#6314)
# Description of Changes Adds storage in the database for full document content alongside the RAG content (and changes the service to `DocumentService` instead of `RagService`). Then adds a generic capability that should be usable by any agent (currently just used by the Question Agent) which allows the agent to pull out the full contents of the doc, chunks it into various sections that will fit in the context window, and then processes them in parallel to create an intermediate result, and then processes the intermediate result into a final answer. It will re-chunk as many times as necessary to get the content small enough for the actual answer to be analysed (I've tested on PDFs ~3500 pages long, which is well above the context limit and requires maybe 3 rounds of compression to get an answer). The new full doc analysis stuff is heavier than the RAG lookup so both remain. The agents should use RAG for targeted info and the chunked reasoner for info that requires reading the full doc. |
||
|
|
8abe734f0b |
Fix main frontend validation (#6361)
# Description of Changes #6312 reformatted `tauri.conf.json` via the Gradle script, which reformats the entire file to not match the Prettier style. This PR reformats the file back to Prettier format and changes the script to update the version number without reformatting the entire file. To be honest I'm not a huge fan of updating the version number with regexes but it'd be a fool's errand to try and get Gradle to output JSON in Prettier format, and this seems simpler than shelling out to run Prettier over the file after the version string has been updated. Any better ideas, let me know. |
||
|
|
8a59c10f42 |
Update Backend 3rd Party Licenses (#6312)
Auto-generated by stirlingbot[bot] This PR updates the backend license report based on dependency changes. --------- Signed-off-by: stirlingbot[bot] <stirlingbot[bot]@users.noreply.github.com> Co-authored-by: stirlingbot[bot] <195170888+stirlingbot[bot]@users.noreply.github.com> Co-authored-by: Anthony Stirling <[email protected]> |
||
|
|
d62f2ad3ed |
unoserver docker (#6328)
# Description of Changes <!-- Please provide a summary of the changes, including: - What was changed - Why the change was made - Any challenges encountered Closes #(issue_number) --> --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have run `task check` to verify linters, typechecks, and tests pass - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#7-testing) for more details. |
||
|
|
f60a075443 |
Add Playwright/bootRun/test.sh tasks (#6244)
## Description Consolidates Playwright running under cohesive Task namespaces, isolates Playwright state from the developer's local working tree, and swaps CI's frontend webserver from `vite` dev to `vite preview` against a pre-built `dist/`. ### `e2e:*` namespace Renames `.taskfiles/testing.yml` to `.taskfiles/e2e.yml` and consolidates everything Playwright-related under one `e2e:` namespace: - `e2e:stubbed` / `e2e:live` / `e2e:enterprise` / `e2e:cross-browser`: project-specific runners - `e2e:check` (no-Docker subset) and `e2e:check:all` (full) - `e2e:oauth:up` / `:down`, `e2e:saml:up` / `:down`: symmetric lifecycle for the keycloak compose stacks - `e2e:install`: Playwright browser install - `docker:test`: full Docker integration suite The redundant `frontend:test:e2e:*` project shortcuts are removed. CI workflows (`e2e-stubbed.yml`, `e2e-live.yml`, `build-enterprise.yml`, `nightly.yml`) are updated to call the new task names. ### Isolated Playwright state New `STIRLING_BASE_PATH` (and `-Dstirling.base-path=`) override in `InstallationPathConfig` redirects the entire state tree (configs, backups, customFiles, pipeline, logs) at startup. `task e2e:live` points it at `.test-state/playwright/` (purged on every invocation) so the suite never touches the developer's local DB, settings.yml or backups. `task e2e:live` auto-spawns gradle, waits for `/api/v1/info/status` to come up, runs Playwright, then tears down the whole backend process tree. ### CI runs Playwright against `vite preview` Builds the frontend up-front with `VITE_BUILD_FOR_PREVIEW=1` (forces absolute base so deep SPA routes resolve `/assets/...`) and the playwright `webServer` now uses `vite preview --port 5173 --strictPort` in CI. Avoids the per-page on-demand transform cost that was blowing the 30s navigation timeout under `--workers=3` on `all-tool-pages-load.spec.ts`. Local dev keeps `vite` dev for HMR. ### OAuth/SAML compose helpers `start-oauth-test.sh` and `start-saml-test.sh` gain a `--license-key <KEY>` (`-k`) flag so CI and scripted runs can skip the interactive license prompt. `start-oauth-test.sh` also moves from `for arg in "$@"` to a `while`-with-`shift` arg loop to support multi-arg flags consistently with the SAML script. ### Backend gradlew unification Drops the per-platform `cmd /c gradlew.bat` branches from `backend.yml` and routes every gradle invocation through `bash gradlew`. Works uniformly on Linux/macOS and Windows-with-Git-Bash. ### Compare.tsx flake fix (re-land of [#6316](https://github.com/Stirling-Tools/Stirling-PDF/pull/6316)) Piggybacks Anthony's never-merged fix from #6316. Without it, `e2e:stubbed` continues to flake under `--workers=3` on `compare.spec.ts`'s second-upload case via a React "Maximum update depth exceeded" infinite loop in the Compare auto-fill effect. CI traces from recent failed runs match exactly; 10 local runs of `compare.spec.ts` with `CI=1 --workers=3` pass cleanly with the fix applied. --------- Co-authored-by: James Brunton <[email protected]> |
||
|
|
c059e13423 |
Fix desktop app overscrolling inappropriately (#6350)
# Description of Changes Fix #6348 |
||
|
|
575684ee4b |
Add edit text support to stirling engine (#6245)
# Description of Changes Hooks up the (alpha) PDF Editor backend to the AI engine Edit Agent via an intermediary API which is easier for the agent to call. It suffers from all the same issues that the PDF Editor does in actually editing the text, but should also benefit from any fixes to that. It also adds protection against the underlying tools misbehaving by hanging, and fixes a hanging bug in the PDF Editor. --------- Co-authored-by: EthanHealy01 <[email protected]> |
||
|
|
294b616a63 |
build(deps): bump org.springframework.boot:spring-boot-dependencies from 4.0.5 to 4.0.6 (#6337)
Bumps [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) from 4.0.5 to 4.0.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/spring-projects/spring-boot/releases">org.springframework.boot:spring-boot-dependencies's releases</a>.</em></p> <blockquote> <h2>v4.0.6</h2> <h2>🐞 Bug Fixes</h2> <ul> <li>Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50188">#50188</a></li> <li>Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50187">#50187</a></li> <li>ApplicationPidFileWriter does not handle symlinks correctly <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50185">#50185</a></li> <li>RandomValuePropertySource is not suitable for secrets <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50183">#50183</a></li> <li>Cassandra auto-configuration misconfigures CqlSessionBuilder <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50180">#50180</a></li> <li>ApplicationTemp does not handle symlinks correctly <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50178">#50178</a></li> <li>Remote DevTools performs comparison incorrectly <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50176">#50176</a></li> <li>spring.rabbitmq.ssl.verify-hostname is applied inconsistently <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50174">#50174</a></li> <li>Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50077">#50077</a></li> <li>Classic starters are missing several modules <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50071">#50071</a></li> <li>Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic <a href="https://redirect.github.com/spring-projects/spring-boot/pull/50069">#50069</a></li> <li>Annotations like <code>@Ssl</code> don't work on <code>@Bean</code> methods when using <code>@ServiceConnection</code> <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50064">#50064</a></li> <li>EnversRevisionRepositoriesRegistrar should reuse <code>@EnableEnversRepositories</code> rather than configuring the JPA counterpart <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50039">#50039</a></li> <li>WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50017">#50017</a></li> <li>Imports on a containing test class are ignored when a nested class has imports <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50012">#50012</a></li> <li>With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49951">#49951</a></li> <li>500 response from env endpoint when supplied pattern is invalid <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49946">#49946</a></li> <li>Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49945">#49945</a></li> <li>HTTP method is lost when configuring excludes in EndpointRequest <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49943">#49943</a></li> <li>Honor HttpMethod for reactive additional endpoint paths <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49880">#49880</a></li> <li>Docker Compose support doesn't work with apache/artemis image <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49869">#49869</a></li> <li>Docker Compose support doesn't work with apache/activemq image <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49866">#49866</a></li> <li>Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49854">#49854</a></li> <li>API versioning path strategy should be applied path last as it is not meant to yield <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49800">#49800</a></li> </ul> <h2>📔 Documentation</h2> <ul> <li>Update docs to encourage Java fundamentals for beginners that prefer to learn that way <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50146">#50146</a></li> <li>HTTP Service Interface Clients still document that API versioning can be configured via properties <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50126">#50126</a></li> <li>Link to the observability section of the Lettuce documentation is broken <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50097">#50097</a></li> <li>Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50085">#50085</a></li> <li>MySamlRelyingPartyConfiguration is missing a Kotlin sample <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50024">#50024</a></li> <li>Incorrect default value for management.httpexchanges.recording.include in configuration metadata <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50019">#50019</a></li> <li>Link to the Kubernetes documentation when discussing startup probes <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50015">#50015</a></li> <li>Typo in JdbcSessionAutoConfiguration Javadoc <a href="https://redirect.github.com/spring-projects/spring-boot/pull/49873">#49873</a></li> <li>Clarify that configuration property default values are not available through the Environment <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49851">#49851</a></li> <li>Document the need for Liquibase and Flyway starters <a href="https://redirect.github.com/spring-projects/spring-boot/pull/49839">#49839</a></li> <li>Kafka documentation refers to deprecated JSON serializer and deserializer classes <a href="https://redirect.github.com/spring-projects/spring-boot/pull/49826">#49826</a></li> </ul> <h2>🔨 Dependency Upgrades</h2> <ul> <li>Upgrade to Elasticsearch Client 9.2.8 <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50027">#50027</a></li> <li>Upgrade to Groovy 5.0.5 <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49911">#49911</a></li> <li>Upgrade to Hibernate 7.2.12.Final <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50134">#50134</a></li> <li>Upgrade to Jackson Bom 3.1.2 <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50051">#50051</a></li> <li>Upgrade to <a href="https://github.com/jaxen-xpath/jaxen/releases/tag/v2.0.1">Jaxen 2.0.1</a> <a href="https://redirect.github.com/spring-projects/spring-boot/issues/50104">#50104</a></li> <li>Upgrade to <a href="https://github.com/FirebirdSQL/jaybird/releases/tag/v6.0.5">Jaybird 6.0.5</a> <a href="https://redirect.github.com/spring-projects/spring-boot/issues/49914">#49914</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/spring-projects/spring-boot/commit/8821ad2cd381bb4b9615a61479e1de7305a8ba39"><code>8821ad2</code></a> Release v4.0.6</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/9e4048a03f17adfe78057a3c4d5b4693305c0ae0"><code>9e4048a</code></a> Merge branch '3.5.x' into 4.0.x</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/20bb11c3984802990572ddbeae8b66885a8f2462"><code>20bb11c</code></a> Next development version (v3.5.15-SNAPSHOT)</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/98daa8ea30f39a5b0ca6768b5cbc2dc8698ef4e1"><code>98daa8e</code></a> Merge branch '3.5.x' into 4.0.x</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/9dc5aa2863f598a15d3dfa116f4b89249daba7e7"><code>9dc5aa2</code></a> Polish</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/874f6294b91da18367b8b5ab7b2fad3fa23cfba6"><code>874f629</code></a> Fix default security with actuator but without health</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/e41b3bf731d1134bc18ec1f68ac01e0fe1c54923"><code>e41b3bf</code></a> Enable hostname verification for SSL connections to Elasticsearch</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/ef8527bb0ef8f564f4f9c57a7be99a7aa96c6ab0"><code>ef8527b</code></a> Merge branch '3.5.x' into 4.0.x</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/f533a4549c3999aac30cb5830f07dc304933e93d"><code>f533a45</code></a> Do not follow symlinks when writing PID file</li> <li><a href="https://github.com/spring-projects/spring-boot/commit/4a7bd332b6d19fef1aa4cf28434985f2b03a2e0f"><code>4a7bd33</code></a> Merge branch '3.5.x' into 4.0.x</li> <li>Additional commits viewable in <a href="https://github.com/spring-projects/spring-boot/compare/v4.0.5...v4.0.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
f61121953e |
fix: replace deprecated payload too large status (#6336)
# Description of Changes - Replaced the deprecated `HttpStatus.PAYLOAD_TOO_LARGE` usage with `HttpStatus.CONTENT_TOO_LARGE` in `GlobalExceptionHandler` - Updated the upload-size exception response creation and response status to use the newer HTTP 413 enum - Updated related unit tests to assert `HttpStatus.CONTENT_TOO_LARGE` - The change was made to avoid using the deprecated Spring HTTP status enum while keeping the returned status code behavior unchanged --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have run `task check` to verify linters, typechecks, and tests pass - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#7-testing) for more details. |
||
|
|
8645280ee5 |
build(deps): bump reportlab from 4.4.10 to 4.5.0 in /testing/cucumber (#6338)
Bumps [reportlab](https://www.reportlab.com/) from 4.4.10 to 4.5.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
bd50e2e59d |
build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 in /app/core (#6344)
Bumps commons-io:commons-io from 2.21.0 to 2.22.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
77abaf5de5 |
build(deps): bump actions/cache from 5.0.4 to 5.0.5 (#6349)
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.5</h2> <h2>What's Changed</h2> <ul> <li>Update ts-http-runtime dependency by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1747">actions/cache#1747</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.5">https://github.com/actions/cache/compare/v5...v5.0.5</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.4</h3> <ul> <li>Bump <code>minimatch</code> to v3.1.5 (fixes ReDoS via globstar patterns)</li> <li>Bump <code>undici</code> to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)</li> <li>Bump <code>fast-xml-parser</code> to v5.5.6</li> </ul> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/[email protected]</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>.</p> </blockquote> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/27d5ce7f107fe9357f9df03efb73ab90386fccae"><code>27d5ce7</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1747">#1747</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/cache/commit/f280785d7b6e1884c7d12b9136eb0f4a1574fcfd"><code>f280785</code></a> licensed changes</li> <li><a href="https://github.com/actions/cache/commit/619aeb1606e195be0b36fd0ff68dcf1aff6b65a7"><code>619aeb1</code></a> npm run build generated dist files</li> <li><a href="https://github.com/actions/cache/commit/bcf16c2893940a4899761e55c7ac3c1cf88a04f6"><code>bcf16c2</code></a> Update ts-http-runtime to 0.3.5</li> <li>See full diff in <a href="https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
503a81be50 |
build(deps): bump KSXGitHub/github-actions-deploy-aur from 4.1.2 to 4.1.3 (#6347)
Bumps [KSXGitHub/github-actions-deploy-aur](https://github.com/ksxgithub/github-actions-deploy-aur) from 4.1.2 to 4.1.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ksxgithub/github-actions-deploy-aur/releases">KSXGitHub/github-actions-deploy-aur's releases</a>.</em></p> <blockquote> <h2>v4.1.3</h2> <p>There is a bug in <code>runuser</code> that converts all <code>-c</code> (even after <code>--</code>) into <code>--command</code> which <code>bash</code> doesn't recognize. This release removes the <code>-c</code> flag entirely, bash would execute <code>/build.sh</code> as if it's a file. Hopefully, the behavior preserves. If not, maybe just switch to <code>su</code> or <code>sudo</code>.</p> <p>Relevant PR: <a href="https://redirect.github.com/KSXGitHub/github-actions-deploy-aur/pull/51">KSXGitHub/github-actions-deploy-aur#51</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/KSXGitHub/github-actions-deploy-aur/commit/da03e160361ce01bf087e790b6ffd196d7dccff7"><code>da03e16</code></a> fix: <code>bash: --command: invalid option</code> (<a href="https://redirect.github.com/ksxgithub/github-actions-deploy-aur/issues/51">#51</a>)</li> <li><a href="https://github.com/KSXGitHub/github-actions-deploy-aur/commit/3b403c740ae5e446b747b45451ec68665428dab1"><code>3b403c7</code></a> docs(readme): use the GitHub's note syntax</li> <li><a href="https://github.com/KSXGitHub/github-actions-deploy-aur/commit/e17cd797381bddd766236d808302398b090398d2"><code>e17cd79</code></a> docs(readme): remove patreon</li> <li>See full diff in <a href="https://github.com/ksxgithub/github-actions-deploy-aur/compare/v4.1.2...v4.1.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
67fc5c70b9 |
build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#6343)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.35.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.35.3</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li> </ul> <h2>4.35.2 - 15 Apr 2026</h2> <ul> <li>The undocumented TRAP cache cleanup feature that could be enabled using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the <code>trap-caching: false</code> input to the <code>init</code> Action. <a href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li> <li>The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. <a href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li> <li>Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. <a href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li> <li>Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li> </ul> <h2>4.35.1 - 27 Mar 2026</h2> <ul> <li>Fix incorrect minimum required Git version for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li> </ul> <h2>4.35.0 - 27 Mar 2026</h2> <ul> <li>Reduced the minimum Git version required for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> from 2.38.0 to 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li> </ul> <h2>4.34.1 - 20 Mar 2026</h2> <ul> <li>Downgrade default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a> due to issues with a small percentage of Actions and JavaScript analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li> </ul> <h2>4.34.0 - 20 Mar 2026</h2> <ul> <li>Added an experimental change which disables TRAP caching when <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li> <li>We are rolling out improved incremental analysis to C/C++ analyses that use build mode <code>none</code>. We expect this rollout to be complete by the end of April 2026. <a href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li> </ul> <h2>4.33.0 - 16 Mar 2026</h2> <ul> <li>Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. <a href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/e46ed2cbd01164d986452f91f178727624ae40d7"><code>e46ed2c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3867">#3867</a> from github/update-v4.35.3-8c6e48dbe</li> <li><a href="https://github.com/github/codeql-action/commit/b73d1d163446ca5e62b96698027210ab41df6a4a"><code>b73d1d1</code></a> Add changelog entry for <a href="https://redirect.github.com/github/codeql-action/issues/3853">#3853</a></li> <li><a href="https://github.com/github/codeql-action/commit/24e0bb00a931e2a5edb703ce3b22a70f3a3e800b"><code>24e0bb0</code></a> Reorder changelog entries</li> <li><a href="https://github.com/github/codeql-action/commit/ec298daba71cf7592feacbd1c0887cddc0659f62"><code>ec298da</code></a> Update changelog for v4.35.3</li> <li><a href="https://github.com/github/codeql-action/commit/8c6e48dbe051ceb3015c19554831af1b43275f46"><code>8c6e48d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3865">#3865</a> from github/update-bundle/codeql-bundle-v2.25.3</li> <li><a href="https://github.com/github/codeql-action/commit/719098349ea5beae8aa364bf9b71ff1c8d937df2"><code>7190983</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/2bb209555a024d051f6271c8a846b402497f9445"><code>2bb2095</code></a> Update default bundle to codeql-bundle-v2.25.3</li> <li><a href="https://github.com/github/codeql-action/commit/7851e55dc3be31ec4bcc3ef98453de2cb306e698"><code>7851e55</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3850">#3850</a> from github/mbg/private-registry/cloudsmith-gcp</li> <li><a href="https://github.com/github/codeql-action/commit/262a15f6cf4c7a43d6a38ad76392e5e2d4977751"><code>262a15f</code></a> Add generic non-printable chars test for OIDC configs</li> <li><a href="https://github.com/github/codeql-action/commit/a6109b1c07173a53ece3d179a925ff9644d1fabd"><code>a6109b1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3853">#3853</a> from github/mbg/start-proxy/improved-checks</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...e46ed2cbd01164d986452f91f178727624ae40d7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1e6514a471 |
build(deps): bump org.projectlombok:lombok from 1.18.44 to 1.18.46 (#6342)
Bumps [org.projectlombok:lombok](https://github.com/projectlombok/lombok) from 1.18.44 to 1.18.46. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/projectlombok/lombok/blob/master/doc/changelog.markdown">org.projectlombok:lombok's changelog</a>.</em></p> <blockquote> <h3>v1.18.46 (April 22nd, 2026)</h3> <ul> <li>PLATFORM: JDK26 support added <a href="https://redirect.github.com/projectlombok/lombok/issues/4019">#4019</a>.</li> <li>PLATFORM: Spring Tools Suite 5 supported <a href="https://redirect.github.com/projectlombok/lombok/issues/3985">#3985</a>.</li> <li>BUGFIX: <code>@Jacksonized</code> no longer stops generating <code>@JsonProperty</code> once an explicit <code>@JsonIgnore</code> annotations is encountered <a href="https://redirect.github.com/projectlombok/lombok/issues/4022">#4022</a>.</li> <li>BUGFIX: In eclipse, mixing <code>@Jacksonized</code> and <code>fluent = true</code> no longer causes the error <code>com.fasterxml.jackson.annotation.JsonProperty is not a repeatable annotation interface</code>. <a href="https://redirect.github.com/projectlombok/lombok/issues/3934">#3934</a>.</li> <li>BUGFIX: Some finishing touches for v1.18.44's support of Jackson3 <a href="https://redirect.github.com/projectlombok/lombok/issues/4004">#4004</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/projectlombok/lombok/commit/936ca59baf844fd6c0ad641974295498785d8091"><code>936ca59</code></a> [build] lombok's launcher is still intended to be 1.4 compatible, or at least...</li> <li><a href="https://github.com/projectlombok/lombok/commit/fcdab3f29e1b48c8f4b33ef9231ec2587a43d122"><code>fcdab3f</code></a> [version] pre-release version bump</li> <li><a href="https://github.com/projectlombok/lombok/commit/1cb7d49c5d2dc98af7a66413d8119dec285d0666"><code>1cb7d49</code></a> [changelog]<a href="https://redirect.github.com/projectlombok/lombok/issues/4004">#4004</a> Mention Jackson3 final touches in changelog.</li> <li><a href="https://github.com/projectlombok/lombok/commit/12a15b00555ec8097eca2bf7d77c2c2124e13e0e"><code>12a15b0</code></a> Fix: Bump EA_JDK to 27 (25 and 26 have been released)</li> <li><a href="https://github.com/projectlombok/lombok/commit/2be766cfc2ef56f2d986f28f734c98535d611aee"><code>2be766c</code></a> Merge branch 'jackson3-final-touches'</li> <li><a href="https://github.com/projectlombok/lombok/commit/290fa4c8539c7e97b47f7e80033e078127050eb5"><code>290fa4c</code></a> [trivial] constantize the warning we spit out for ambiguous jackson2/3, and m...</li> <li><a href="https://github.com/projectlombok/lombok/commit/e6567b6621f86b43033ab4a75e0273780e18e998"><code>e6567b6</code></a> test: Add Jackson 3 test cases and version ambiguity warnings</li> <li><a href="https://github.com/projectlombok/lombok/commit/45e72e241abe98dcfb66408402da825dd2b8e925"><code>45e72e2</code></a> feat: Add Jackson 3 databind/dataformat annotations to HandlerUtil copy lists</li> <li><a href="https://github.com/projectlombok/lombok/commit/184d42363d86446a63b6270ac1eb352dc43ae76c"><code>184d423</code></a> feat: Add Jackson 3 support to <a href="https://github.com/Jacksonized"><code>@Jacksonized</code></a> handlers</li> <li><a href="https://github.com/projectlombok/lombok/commit/e027ad0f1515bd33d4d329d90e59dccbaf44651e"><code>e027ad0</code></a> refactored to ShadowClassLoader use Collections::enumeration instead of Vector</li> <li>Additional commits viewable in <a href="https://github.com/projectlombok/lombok/compare/v1.18.44...v1.18.46">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
c4874deb5d |
build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#6341)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.0 to 2.19.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.19.1</h2> <h2>What's Changed</h2> <ul> <li>fix: detect ubuntu-slim runners early and bail out by <a href="https://github.com/devantler"><code>@devantler</code></a> in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li> </ul> <p>What the fix changes</p> <ul> <li>Harden-Runner will detect <code>ubuntu-slim</code> runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.</li> </ul> <p>What the fix does not do</p> <ul> <li>Jobs running on <code>ubuntu-slim</code> will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).</li> <li>Per GitHub's docs on <a href="https://docs.github.com/en/actions/reference/runners/github-hosted-runners#single-cpu-runners">single-CPU runners</a>: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.</li> </ul> <p>For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of <code>ubuntu-slim</code> via workflow run policies see the <a href="https://docs.stepsecurity.io/workflow-run-policies/policies#runner-label-policy">Runner Label Policy</a> docs. This lets you enforce that jobs only run on monitored runner types.</p> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/devantler"><code>@devantler</code></a> made their first contribution in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1">https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/harden-runner/commit/a5ad31d6a139d249332a2605b85202e8c0b78450"><code>a5ad31d</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/657">#657</a> from devantler/fix/ubuntu-slim-user-env</li> <li><a href="https://github.com/step-security/harden-runner/commit/6e928567d74554b8842dd434908da31c593ba85c"><code>6e92856</code></a> build dist and trim ubuntu-slim message</li> <li><a href="https://github.com/step-security/harden-runner/commit/4e0504ee086374bdec7064e5c26d48af41ba6209"><code>4e0504e</code></a> Merge branch 'main' into fix/ubuntu-slim-user-env</li> <li><a href="https://github.com/step-security/harden-runner/commit/376d25a97f3a1640ff8cbbddaa4af25948df2cf3"><code>376d25a</code></a> fix: detect ubuntu-slim runners early and bail out</li> <li>See full diff in <a href="https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...a5ad31d6a139d249332a2605b85202e8c0b78450">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
4ee47fdddd | Fix Task commands in Powershell (#6330) |