eb6aa6e8bb18b4fbcd27aed0b6b337caedb17c9e
266 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
8b986f3dc3 |
feat(portal-shell): thin full-width footer with copyright + a11y links (#88)
## Summary
- Re-add a **40 px** (h-10) footer pinned to the bottom of the shell, spanning the full viewport width below header + sidebar + main.
- Hosts the **`© <year> APF France handicap`** copyright on the left and the FR + EN accessibility statement links on the right, separated by a thin divider.
- **Move the accessibility links out of the sidebar bottom.** Putting legal / compliance links in the footer matches universal web convention and keeps the sidebar focused on product navigation.
## Why footer rather than the help menu
The header's `circle-help` icon will eventually open a help menu (FAQ, keyboard shortcuts, contact support) — that's **product help**, not **legal / compliance**. Auditors (RGAA 4.1, EN 301 549) look for the accessibility statement in the footer; hiding it inside a help dropdown would hurt discoverability. The footer is the canonical home.
## Why both FR + EN stay visible
There is no language toggle yet — `@angular/localize` and its ADR are a separate chantier. Until then, exposing both languages prevents a francophone user from landing on the EN page (or vice versa) via a stale favourite. Once the locale switcher lands, the footer drops the link that doesn't match the active locale.
## Layout
```
:host flex column, h-100vh
├── app-header shrink-0, h-16
├── div.shell-body flex-1, flex row
│ ├── app-sidebar w-{64|16}, h-full (== shell-body)
│ └── main.shell-main flex-1, overflow-y-auto
└── app-footer shrink-0, h-10
```
The sidebar now sits *between* header and footer, so the collapse toggle stays flush above the footer at every viewport size. shell-main still owns its own vertical scroll so long content does not push the footer off-screen.
## What this PR reserves for later (placeholder)
- **Language toggle (FR / EN)** — lands once `@angular/localize` is in.
- **Dev-only version badge** — lands once `environment.ts` per ADR-0018 is wired up.
Both belong in the footer; the layout already has slots for them (center / right groupings).
## Accessibility
- `<footer aria-label="Page footer">` landmark.
- Inline text links inside `<nav aria-label="Legal">` with hover underline + visible focus ring (brand primary, 4 px offset). Inline-link exception applies to the 44×44 touch target (ADR-0016).
- Dark mode: white → `dark:bg-gray-900`, gray-500 text → `dark:text-gray-400`, brand-primary-500 hover → `dark:hover:text-brand-primary-300`.
## Test plan
- [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green (**36 / 36 specs**, +3 for the footer).
- [x] Production build: **121 kB gzip initial** (unchanged from main).
- [ ] Manual: footer pinned at the bottom in every viewport size; sidebar height tracks shell-body so the collapse button sits just above it.
- [ ] Manual: both `/accessibility` and `/accessibilite` links navigate correctly and get `aria-current="page"` when active.
- [ ] Manual: dark mode → footer surface flips with the rest of the shell.
- [ ] Manual: keyboard — Tab into the footer reaches each link, focus ring is visible, Shift+Tab walks back out.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #88
|
||
|
|
3a0a9c700d |
fix(portal-shell): dark mode actually applies to component-scoped surfaces (#87)
## Bug
Three component stylesheets (`app.scss`, `sidebar.scss`, `theme-switcher.scss`) carried `:where(.dark) &` rules to react to the `<html>.dark` class — the same pattern Tailwind uses internally. **Angular's emulated CSS encapsulation descends into `:where()` and rewrites its contents with the `_ngcontent-XXX` scoping attribute**, so the produced selector looked like:
```css
:where(.dark[_ngcontent-c0]) .shell-main[_ngcontent-c0] { ... }
```
`<html>` carries `.dark` but no `_ngcontent` attribute — the rule never matched.
Visible symptom: the main page background stayed light even when `.dark` was on `<html>` and every Tailwind `dark:` utility in the templates was working correctly. Sidebar hover/focus/active states and the theme-switcher menu surface had the same bug.
## Fix
- **`app.scss` and `sidebar.scss`** switch to `:host-context(.dark)`. The Angular compiler recognises this directive and expands it without forcing the ancestor (`<html>`) to carry the scoping attribute. Compiled output:
```css
.dark[_nghost-c0] .shell-main[_ngcontent-c0],
.dark [_nghost-c0] .shell-main[_ngcontent-c0] { ... }
```
The second selector matches `<html>.dark` as an ancestor of `<app-root>` (the host) — exactly what we want.
- **`theme-switcher` switches to `ViewEncapsulation.None`**. Its CDK menu opens in an overlay portal appended to `<body>` — outside the component's host subtree — so even `:host-context()` would miss it. With encapsulation disabled, the styles emit globally; the BEM-style class names (`.theme-switcher__menu`, `.theme-switcher__item`, ...) keep the rules contained without leaking.
## Drive-by
- Remove the right border on the `.header__logo-zone`. The visible hairline above the sidebar was extra noise — the alignment of widths already carries the visual relationship to the rail below.
## Why not also rip out the `dark:` Tailwind utilities used in the templates?
They work. They're emitted into the global Tailwind sheet, sit outside view encapsulation, and already handle the `.dark` ancestor lookup via their own selector (`:where(.dark, .dark *)`). The bug was specifically about component-authored CSS *inside* an SCSS file under emulated encapsulation.
## Test plan
- [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green (33 / 33 specs).
- [x] Inspect the produced CSS: `:host-context(.dark)` expands to both `.dark[_nghost-XXX]` and `.dark [_nghost-XXX]` selectors, no `_ngcontent` attribute leaked into the `.dark` portion.
- [ ] Manual: pick dark mode → `/` shows the dark page background; sidebar hover / active / focus visibly switches; theme-switcher menu opens with the dark surface.
- [ ] Manual: header no longer shows a vertical hairline between the logo zone and the search/actions cluster.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #87
|
||
|
|
0ae7e0e23d |
feat(portal-shell): light / dark / auto theme switcher (#86)
## Summary
- Add a header dropdown letting users pick **light**, **dark**, or **auto** (follow the OS) color schemes. Choice persists in `localStorage`, applies on next reload, and reacts live to OS theme changes when in `auto`.
- Built on `@angular/cdk/menu` for accessible roving focus, escape-to-close, and proper `menuitemradio` semantics on the three options.
- Apply `dark:` variants across the shell (header, sidebar, main bg) and the existing two pages. No semantic-token refactor yet — that belongs in a future ADR (`--color-surface-1`, `--color-text-1`, …).
## Architecture
- [`LayoutStateService`](apps/portal-shell/src/app/state/layout-state.service.ts) grows a `themeMode: signal<'light'|'dark'|'auto'>` alongside the existing `sidebarCollapsed`, plus an `effectiveTheme` computed that resolves `auto` against the system preference. A side-effect toggles the `.dark` class on `<html>`, so every `dark:` Tailwind utility flips at once.
- Tailwind v4 dark mode is rewired to **class-based** via `@custom-variant dark (&:where(.dark, .dark *));` in `styles.css`. This overrides the v4 default (`prefers-color-scheme` only) so the user's explicit override wins over the OS preference.
- The switcher trigger reflects the **selected** mode (sun / moon / monitor), not the effective theme — so users can tell which mode they're in even when `auto` happens to resolve to the same scheme as a manual pick.
## Side-edits in the same PR (already validated in the chat)
- **Logo asset.** Replace `apf-small.svg` (94 kB — a base64-PNG wrapped in SVG markup, not actually vector) with `apf-small.png` (144×144, 7.6 kB after `sharp --kernel lanczos3 --compressionLevel 9`). Header swaps to the PNG. The wide vector `apf-portal.svg` stays around for future surfaces that want the horizontal lockup.
- **Revert FR strings** that crept into the header template — project rule (CLAUDE.md) is English-only for source artefacts; FR localisation will happen properly via `@angular/localize` (separate ADR).
## Decisions worth flagging
- **Dropdown over segmented control.** The CDK Menu pays its weight: accessible by default (proper `aria-haspopup`, focus management, ESC handling, click-outside dismissal), reusable for future header menus (user, language, notifications), and one tidy primitive rather than three competing buttons.
- **`auto` is the default,** not `light`. Most users have an OS-level preference already; respecting it is the least surprising baseline.
- **`<html>.dark` class lives at the root,** not on `<app-root>`. That's the Tailwind convention and it means CDK overlay popups (the menu itself, future dialogs) inherit the right theme without extra wiring.
- **Bundle delta +21 kB gzip** (100 → 121 kB initial). All of it is `@angular/cdk/{menu,overlay,a11y}` and the dark CSS rules. We stay well under the 300 kB budget. The CDK is already on the architecture menu (ADR-0016 — *UI stack: Angular CDK + TailwindCSS*) so this is on-strategy spend.
- **No semantic tokens yet.** The dark variants use raw Tailwind gray ramps (`dark:bg-gray-900`, etc.) instead of a `--color-surface-1` / `--color-text-1` token layer. That keeps the change tractable for now; promotion to semantic tokens deserves its own ADR with the design team in the loop.
## Accessibility (ADR-0016)
- Menu trigger has `aria-haspopup="menu"`, `aria-label` announcing the current mode + "(open menu)".
- Menu uses `role="menu"`, items use `role="menuitemradio"` with `aria-checked` — assistive tech announces the selection state correctly.
- All interactive controls keep the 44×44 px touch target.
- `prefers-reduced-motion: reduce` already covered by the sidebar transitions; theme switcher has no animations of its own.
- Contrast: dark surfaces are gray-900 + gray-800 border / gray-100 text — passes WCAG AA. Brand primary shifted to the `300` step in dark mode so the active states keep contrast against gray-900.
## What this PR explicitly does NOT do
- Tokenise the palette into semantic surface / text / border roles (next iteration, ADR-led).
- Localise UI strings (separate `@angular/localize` ADR + PR).
- Animate the theme transition (FOIT-style flicker on toggle is acceptable in v1; we can soften later with a `color-scheme` CSS transition if it bothers users).
## Test plan
- [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green (**33 / 33 specs**, +8 for the theme work).
- [x] Production build: **121 kB gzip initial** (was 100 kB). Under the 300 kB budget.
- [ ] Manual: toggle each of the three modes → header / sidebar / main / cards switch surface colors instantly; trigger glyph updates.
- [ ] Manual: pick `auto`, change OS theme → UI follows live (Chrome DevTools → Rendering → "Emulate CSS media feature prefers-color-scheme").
- [ ] Manual: reload after each pick → the chosen mode is restored.
- [ ] Manual: keyboard the trigger → ENTER opens menu, arrow keys navigate, ENTER selects, ESC closes; focus returns to the trigger on close.
- [ ] Manual: Lighthouse accessibility on `/` in dark mode — score unchanged from light mode.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #86
|
||
|
|
b6aa17f6a0 |
feat(portal-shell): align header logo zone with the sidebar rail (#85)
## Summary - Split the header into two zones: a **logo zone** whose width tracks the sidebar (16 rem expanded / 4 rem collapsed), and the existing search + actions cluster on the right. - The logo glyph stays at both widths; the "APF Portal" wordmark hides when the rail collapses, mirroring the sidebar's icon-only mode. - Promote the sidebar's `collapsed` state to a new [`LayoutStateService`](apps/portal-shell/src/app/state/layout-state.service.ts) (Signals + `localStorage`) so header and sidebar share a single source of truth. ## Why a service rather than prop-drilling Two reasons: 1. The state is **shell-level**, not sidebar-internal — the header now reads it, and future surfaces (right rail, breadcrumbs, command palette) will too. Passing it down via inputs would force `<app-root>` to act as the owner and turn every intermediate component into a relay. 2. As we add other cross-cutting shell state (density, theme, panel pinning, RTL), they all belong in the same place. `LayoutStateService` is the natural collector and stays trivial as long as we don't over-broaden it. v1 ships with one signal — keeping it narrow. The service is `providedIn: 'root'` (singleton), Signals-only, and owns localStorage persistence — same UX as before, just relocated. ## Decisions worth flagging - **Widths stay duplicated between `header.scss` and `sidebar.scss`** (16 rem / 4 rem). Extracting a shared SCSS variable would be premature — only two callers, and the coupling is loud (cross-file comment in `header.scss`). If a third surface needs the same widths, we promote to a shared token. - **Border continuity.** The logo zone's right border and the sidebar's right border share the same x coordinate, so they read as one continuous vertical separator running the full shell height. Same `#e5e7eb` so the seam is invisible. - **Width transition** matches the sidebar's (`0.18s ease-out`) and is skipped under `prefers-reduced-motion: reduce`. - **Sidebar component lost its private state.** Its own signal + effect + storage glue is gone; it delegates reads to the service and the toggle click to `layout.toggleSidebar()`. Net `sidebar.ts` shrunk by ~15 lines. ## Test plan - [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green (25 / 25 specs, +6 for the new service spec + header zone tests). - [x] Production build under bundle budgets (100 kB gzip initial — +0.2 kB vs main). - [ ] Manual: load `/`, confirm the logo zone's right edge aligns exactly with the sidebar's right edge at both widths. - [ ] Manual: toggle the sidebar → both columns animate in sync; wordmark hides; logo glyph stays centered in the 4 rem zone. - [ ] Manual: reload after toggling → both header and sidebar restore to the persisted state. - [ ] Manual: `prefers-reduced-motion: reduce` → no width animation in either zone. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #85 |
||
|
|
29f79d677e |
feat(portal-shell): full favicon set + PWA manifest (#84)
## Summary - Replace the single root `favicon.ico` with a complete asset bundle under [`apps/portal-shell/public/favicons/`](apps/portal-shell/public/favicons/): SVG primary favicon, PNG fallback (96×96), legacy ICO, Apple touch icon (180×180), and a Web App Manifest with 192 / 512 maskable PNGs. - Wire the assets in [`index.html`](apps/portal-shell/src/index.html) via the standard `<link rel="icon|apple-touch-icon|manifest">` block and add a matching `<meta name="theme-color" content="#ffffff">`. - Set the manifest name to `"APF Portal"` (short_name `"Portal"`) so the PWA install banner and home-screen icon read consistently with the in-app header. ## Why it matters - **Modern favicons.** SVG is now the primary icon — vector-clean at every density, automatic dark-mode adaptation when the SVG carries `prefers-color-scheme` rules. PNG + ICO entries cover legacy and pinned-tab contexts. - **Installability.** With a valid manifest + 192/512 icons + `display: standalone`, the portal is installable on Android home-screens and as a desktop PWA in Chromium-based browsers, without shipping a service worker. - **Mobile chrome.** `<meta name="theme-color">` aligned with the manifest's `theme_color` tints the browser address bar and the PWA chrome to white — matching the app header. ## Decisions worth flagging - **Icons declared `purpose: "maskable"` only.** The PNGs were generated with the Android safe-zone padding. On Android they render correctly (cropped to the device's adaptive shape); on contexts that ask for `"any"` the browser falls back to the SVG / PNG / ICO entries from the `<link rel="icon">` block, so nothing breaks. If we later want a no-padding edge-to-edge variant for desktop, we can add a second icon entry with `purpose: "any"` and a different source. - **`theme_color: #ffffff` rather than brand teal.** The app header is white in the v1 design; tinting the mobile chrome to teal would create a visible seam at the top of the viewport. We can revisit if a darker header lands. - **Cache-buster query strings kept (`?v=20260511`).** Static `public/` assets are not hashed by Angular's build (only bundled JS/CSS are), so the explicit version stamp guards against stale caches on icon updates. The date matches the generation day. ## What this PR explicitly does NOT do - Ship a service worker / offline support (PWA installability does not require it; offline strategy is a separate decision and likely a future ADR). - Replace the SVG icon contents with a brand-tuned design — uses the existing generator output. - Wire a localized manifest (single `name` / `short_name`, no `lang` variant per locale). ## Test plan - [x] `pnpm exec nx build portal-shell --configuration=production` — green, 100 kB gzip initial (unchanged). - [x] All 7 assets ship to `dist/apps/portal-shell/browser/favicons/`. - [x] `index.html` in the production build contains every `<link>` + the `theme-color` meta. - [ ] Manual: tab favicon visible in Chrome / Firefox / Safari. - [ ] Manual: Chrome DevTools → Application → Manifest reports no errors and shows both 192/512 icons. - [ ] Manual: Chrome desktop install prompt offers "Install APF Portal". - [ ] Manual: Add-to-Home-Screen on Android shows the maskable icon clipped to the device's adaptive shape. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #84 |
||
|
|
3371fbd613 |
feat(portal-shell): app-shell layout with collapsable sidebar (#83)
## Summary - Replace the flat header+main+footer layout with a real app-shell: fixed header on top, collapsable sidebar + scrollable main below. Sidebar state (collapsed / expanded) persists across reloads via `localStorage`. - Introduce the APF brand palette as Tailwind v4 `@theme` tokens (primary teal `#12546c`, accent orange `#f7a919`) so every utility (`bg-brand-primary-500`, `text-brand-accent-400`, `ring-brand-primary-200`, …) is available from now on. - Add an `<app-icon>` façade backed by `lucide-angular` for v1. Logical kebab-case names already match the icomoon-sprite convention, so the future migration is a single-file change in `icon.ts` and consumers stay untouched. - Migrate the accessibility-statement links from the (now-deleted) footer to the bottom of the sidebar. ## Decisions worth flagging - **Static menu, permission-shaped data.** Items point to `#` placeholders in v1, except *Dashboard* which is `routerLink="/"` so the active-state styling is visible on the home page. The `MenuItem` shape already carries an optional `requiredPermissions: string[]` so the permission-aware filter (PR 2, alongside ADR-0009 auth) plugs in without restructuring. - **`<app-icon>` over direct lucide imports.** Consumers write `<app-icon name="bell">` rather than importing the lucide pascal-case symbol. When the icomoon sprite lands, only the registry in `icon.ts` changes — templates do not. - **Sidebar persistence via `localStorage`, not backend.** Zero round-trip, survives reloads, falls back gracefully when storage is blocked (private mode). Eventually mirrored server-side if the user-preferences feature lands. - **Footer removed entirely.** With the sidebar carrying the FR + EN accessibility-statement links and the role badge, the bottom rail no longer earned its vertical real estate. The version badge moved out for now; it will return as part of a debug/help menu when there's a real release to surface. ## Accessibility (ADR-0016) - Skip-link preserved (WCAG 2.4.1 *Bypass Blocks*) and restyled in the brand palette. - Sidebar exposes named landmarks (`<nav aria-label="Sections">`, `<nav aria-label="Accessibility">`) and the collapse button uses `aria-expanded` + a descriptive `aria-label`. - Active links carry `ariaCurrentWhenActive="page"`. - All interactive controls (header action buttons, sidebar links/toggle) meet the 44×44 px minimum hit-target. - Sidebar width transition is skipped under `prefers-reduced-motion: reduce`. - Lucide SVGs are marked `aria-hidden` (decorative); accessible names live on the parent control. ## Perf (ADR-0017) - Production build: **100 kB gzip** initial transfer (budget: 300 kB). Lucide imports are tree-shaken — only the ~18 icons actually used ship. ## What this PR explicitly does NOT do - Wire icon-set migration to icomoon (kept as a deferred swap behind `<app-icon>`). - Filter the menu by permission (deferred to PR 2 once the auth flow lands). - Replace the avatar placeholder with a real user menu (waits on ADR-0009). - Implement the search input behavior (placeholder only; needs a search backend). ## Test plan - [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green (19 / 19 specs). - [x] Production build under bundle budgets (100 kB gzip initial). - [ ] Manual: load `/`, confirm Dashboard appears active in the sidebar, collapse → reload → still collapsed, focus the address bar then Tab → skip-link visible, keyboard-traverse the sidebar. - [ ] Manual: `prefers-reduced-motion: reduce` → no width animation when toggling. - [ ] Manual: zoom to 200 % → no horizontal scroll, header search hides at narrow widths (`md:` breakpoint). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #83 |
||
|
|
a463199728 |
feat(infra): reactivate act_runner cache by sharing the runners network (#82)
## Summary Closes the deferred-since-day-one cache-server gap (documented as "Cache server (deferred)" in `infra/README.md` and mentioned every time we hit a slow CI install). **Root cause.** `act_runner`'s built-in cache server binds inside the runner container and advertises an IP on the compose-defined `apf-portal-act-runners` bridge — but jobs are spawned via the mounted `/var/run/docker.sock`, which puts them on Docker's anonymous default `bridge`. The advertised URL is unreachable from the job, every cache request burns a ~2 min `ETIMEDOUT` (restore + save), the hit rate is zero. **Fix.** Tell `act_runner` to attach jobs to the same compose-defined bridge as the runners, via `container.network` in the shared `runner-config.yaml`. The advertised cache URL becomes a normal internal-network DNS hop, jobs reach the cache server, `cache: 'pnpm'` works end-to-end. **Blast-radius trade-off** (bounded). Every container on `apf-portal-act-runners` is one of our runner containers, plus the jobs they spawn — all of which already have full docker-socket access. Sharing a network doesn't widen what a malicious workflow can already do; it just lets jobs reach the cache server. ## What lands - `infra/runner-config.yaml` — add `container.network: apf-portal-act-runners`. Surface the `cache.enabled: true` default explicitly so the toggle is discoverable. - `.gitea/workflows/ci.yml` — re-enable `cache: 'pnpm'` on every `actions/setup-node` step (5 jobs). Drop the now-stale block comment that explained the disablement. - `.gitea/workflows/security-scheduled.yml` — same on the two setup-node steps. - `infra/README.md` "Cache server" section rewritten — was `"(deferred)"`, now describes the working setup, rationale, and the disable toggle. - `ci.yml`'s Trivy comment trimmed to drop the cross-reference to the deferred-cache-server section that no longer exists. ## Roll-out (manual, post-merge, on the runner host) ```bash cd <repo>/infra git pull ./ci-runners.sh rotate ``` `rotate` recreates the containers with the new `runner-config.yaml` mount intact (rolling restart, ~15 s pause between each runner so the CI pipeline stays online). ## Test plan - [ ] CI green on this PR (the gates run on the runners as configured **before** rollout, so this PR's run is one last "uncached" cycle). - [ ] After rollout, the next CI run's `Set up Node.js` step shows the cache restore attempt **succeed quickly** (no ETIMEDOUT). The `Run pnpm install --frozen-lockfile` step on the first post-rollout run still reports `Progress: resolved N, reused 0, downloaded N` (cold seed). - [ ] The **second** post-rollout run reports `reused N, downloaded 0` (or a small downloaded delta if Renovate moved a dep meanwhile) — the cache hit is real. - [ ] `Complete job` step at the end no longer shows `reserveCache failed: connect ETIMEDOUT` warnings. - [ ] Wall-clock for a typical PR's CI drops by ~5-10 min (5 jobs × ~30-90 s saved on `pnpm install` + the 2× ~2 min ETIMEDOUTs we used to eat). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #82 |
||
|
|
2d676cc279 |
feat(infra): add ci-runners.sh wrapper for the runner stack (#81)
## Summary Mirrors the convenience-script pattern we adopted for `infra/local/dev.sh`: typing `docker compose -f infra/ci-runners.compose.yml ...` for routine ops gets old fast, the pre-pull of the catthehacker job images is documented but easy to forget, and the "rotation of one runner at a time" tip in `infra/README.md` is a sequence the contributor was supposed to hand-roll every time. `infra/ci-runners.sh` exposes the everyday verbs and automates the rolling-restart pattern. ## What lands | Command | Effect | | --------------------------------------------- | --------------------------------------------------------------------------------- | | `./ci-runners.sh up` | Bring the three runner containers up | | `./ci-runners.sh up --prepull` | Pre-pull the job images (`act-22.04` + `:full-22.04`) on the host first | | `./ci-runners.sh down` | Stop and remove the containers (**preserves** `data/runner-N/.runner` credentials) | | `./ci-runners.sh restart <runner>` | Restart one runner | | `./ci-runners.sh rotate` | Rolling restart of every runner with a 15 s pause between each — keeps at least N-1 runners online through a config refresh | | `./ci-runners.sh status` | `docker compose ps` for the runner services | | `./ci-runners.sh logs [runner]` | Follow logs (one runner or all of them) | | `./ci-runners.sh pull-images` | Pre-pull / refresh the job images (idempotent) | | `./ci-runners.sh <other>` | Pass-through to `docker compose -f ci-runners.compose.yml ...` | The destructive `down -v` (wipes `data/`, forces re-registration with a fresh Gitea token) is intentionally **not** exposed as a verb — invoke `docker compose -f ci-runners.compose.yml down -v` directly so the path is explicit at the typing level. ## Doc updates (`infra/README.md`) - Inventory table at the top picks up the script. - "First-time registration" walkthrough swaps the explicit `docker pull` / `docker compose up` steps for `./ci-runners.sh up --prepull`. - New "Convenience script — `ci-runners.sh`" subsection with the cheat-sheet table. - "Operational tips" rephrased to point at the script's `rotate` / `restart` / `logs` verbs as the canonical commands; the raw-docker-compose form is kept in parentheses as the underlying mechanism. - "Adding a fourth runner" tip now reminds to update the `RUNNERS=()` array at the top of the script. ## Trade-off The 15 s pause in `rotate` is a conservative approximation — `act_runner` doesn't expose a Compose healthcheck, so we can't poll for ready. Adjust the constant at the top of the script if reality argues for a different value. ## Test plan - [ ] CI green on this PR. - [ ] On the runner host: `./infra/ci-runners.sh status` shows the three runners running. - [ ] `./infra/ci-runners.sh logs runner-1` tails runner-1's stdout. - [ ] `./infra/ci-runners.sh rotate` cycles through runner-1 → runner-2 → runner-3 with the 15 s pauses; `status` between rotations shows N-1 runners online at any moment (with a brief gap for the one currently restarting). - [ ] `./infra/ci-runners.sh restart runner-99` errors out with the "unknown runner" message. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #81 |
||
|
|
674c8b2f88 |
chore(deps): update dependency gitleaks/gitleaks to v8.30.1 (#79)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) | minor | `8.21.0` -> `8.30.1` | --- ### Release Notes <details> <summary>gitleaks/gitleaks (gitleaks/gitleaks)</summary> ### [`v8.30.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1) ##### Changelog - [`83d9cd6`](https://github.com/gitleaks/gitleaks/commit/83d9cd684c87d95d656c1458ef04895a7f1cbd8e) update goreleaser - [`8d1f98c`](https://github.com/gitleaks/gitleaks/commit/8d1f98c7967eb1e79cb44ac6241a124e145d2165) Removed unnecessary functions from report template ([#​2040](https://github.com/gitleaks/gitleaks/issues/2040)) - [`ca20267`](https://github.com/gitleaks/gitleaks/commit/ca20267a84aa1fa2c2a9c1a13cdb50cafb48eeb0) its the simple things ([#​2020](https://github.com/gitleaks/gitleaks/issues/2020)) - [`b66ac75`](https://github.com/gitleaks/gitleaks/commit/b66ac75e4fa93d86d78fccd6e2f36d2c0698b2a2) build: switch to Go 1.24 ([#​2002](https://github.com/gitleaks/gitleaks/issues/2002)) ### [`v8.30.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0) ##### Changelog - [`6eaad03`](https://github.com/gitleaks/gitleaks/commit/6eaad03) 0 to 5 - notes on recursive decoding ([#​1994](https://github.com/gitleaks/gitleaks/issues/1994)) - [`09242ce`](https://github.com/gitleaks/gitleaks/commit/09242ce) Add new Looker client ID and client secret rules ([#​1947](https://github.com/gitleaks/gitleaks/issues/1947)) - [`c98e5e0`](https://github.com/gitleaks/gitleaks/commit/c98e5e0) feat: add Airtable Personnal Access Token detection ([#​1952](https://github.com/gitleaks/gitleaks/issues/1952)) - [`4ed0ca4`](https://github.com/gitleaks/gitleaks/commit/4ed0ca4) build: upgrade Go & alpine version ([#​1989](https://github.com/gitleaks/gitleaks/issues/1989)) ### [`v8.29.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1) ##### Changelog - [`fb5d707`](https://github.com/gitleaks/gitleaks/commit/fb5d707) thats a paddlin - [`50493db`](https://github.com/gitleaks/gitleaks/commit/50493db) feat: document stdout report path ([#​1990](https://github.com/gitleaks/gitleaks/issues/1990)) ### [`v8.29.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0) ##### Changelog - [`ed65b65`](https://github.com/gitleaks/gitleaks/commit/ed65b65) Add trace log for skipped archive file when not enabled ([#​1961](https://github.com/gitleaks/gitleaks/issues/1961)) - [`c5ccbb9`](https://github.com/gitleaks/gitleaks/commit/c5ccbb9) Respect contexts with timeouts ([#​1948](https://github.com/gitleaks/gitleaks/issues/1948)) - [`3821f30`](https://github.com/gitleaks/gitleaks/commit/3821f30) Config min version ([#​1955](https://github.com/gitleaks/gitleaks/issues/1955)) - [`d223718`](https://github.com/gitleaks/gitleaks/commit/d223718) fix(config): validate rules when \[extend] is used ([#​1592](https://github.com/gitleaks/gitleaks/issues/1592)) - [`87d9629`](https://github.com/gitleaks/gitleaks/commit/87d9629) feat: add Amazon Bedrock API key detection ([#​1935](https://github.com/gitleaks/gitleaks/issues/1935)) - [`228396b`](https://github.com/gitleaks/gitleaks/commit/228396b) Add GitHub Sponsors section and Discord link - [`a82bc53`](https://github.com/gitleaks/gitleaks/commit/a82bc53) feat: improve regex to detect Sonar tokens with prefixes ([#​1931](https://github.com/gitleaks/gitleaks/issues/1931)) ### [`v8.28.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.28.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.2...v8.28.0) ##### Changelog - [`4fb4382`](https://github.com/gitleaks/gitleaks/commit/4fb4382) cant count - [`b1c9c7e`](https://github.com/gitleaks/gitleaks/commit/b1c9c7e) Composite rules ([#​1905](https://github.com/gitleaks/gitleaks/issues/1905)) - [`72977e4`](https://github.com/gitleaks/gitleaks/commit/72977e4) feat: add Anthropic API key detection ([#​1910](https://github.com/gitleaks/gitleaks/issues/1910)) - [`7b02c98`](https://github.com/gitleaks/gitleaks/commit/7b02c98) fix(git): handle port ([#​1912](https://github.com/gitleaks/gitleaks/issues/1912)) - [`2a7bcff`](https://github.com/gitleaks/gitleaks/commit/2a7bcff) dont prematurely calculate fragment newlines ([#​1909](https://github.com/gitleaks/gitleaks/issues/1909)) - [`bd79c3e`](https://github.com/gitleaks/gitleaks/commit/bd79c3e) feat(allowlist): promote optimizations ([#​1908](https://github.com/gitleaks/gitleaks/issues/1908)) - [`7fb4eda`](https://github.com/gitleaks/gitleaks/commit/7fb4eda) Fix: CVEs on go and go crypto ([#​1868](https://github.com/gitleaks/gitleaks/issues/1868)) - [`a044b81`](https://github.com/gitleaks/gitleaks/commit/a044b81) feat: add artifactory reference token and api key detection ([#​1906](https://github.com/gitleaks/gitleaks/issues/1906)) - [`bf380d4`](https://github.com/gitleaks/gitleaks/commit/bf380d4) silly - [`f487f85`](https://github.com/gitleaks/gitleaks/commit/f487f85) Update gitleaks.yml - [`958f55a`](https://github.com/gitleaks/gitleaks/commit/958f55a) add just like that, no leaks ##### Optimizations [#​1909](https://github.com/gitleaks/gitleaks/issues/1909) waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not. [#​1908](https://github.com/gitleaks/gitleaks/issues/1908) promoted [@​rgmz](https://github.com/rgmz) excellent stopword optimization ##### Composite Rules (Multi-part or `required` Rules) [#​1905](https://github.com/gitleaks/gitleaks/issues/1905) In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or `required` rules. To create a composite rule, add a `[[rules.required]]` table to the primary rule specifying an `id` and optionally `withinLines` and/or `withinColumns` proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified area of the fragment. **Proximity matching:** Using the `withinLines` and `withinColumns` fields instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified proximity. You can set: - **`withinLines: N`** - required findings must be within N lines (vertically) - **`withinColumns: N`** - required findings must be within N characters (horizontally) - **Both** - creates a rectangular search area (both constraints must be satisfied) - **Neither** - fragment-level matching (required findings can be anywhere in the same fragment) Here are diagrams illustrating each proximity behavior: ``` p = primary captured secret a = auxiliary (required) captured secret fragment = section of data gitleaks is looking at *Fragment-level proximity* Any required finding in the fragment ┌────────┐ ┌──────┤fragment├─────┐ │ └──────┬─┤ │ ┌───────┐ │ │a│◀────┼─│✓ MATCH│ │ ┌─┐└─┘ │ └───────┘ │┌─┐ │p│ │ ││a│ ┌─┐└─┘ │ ┌───────┐ │└─┘ │a│◀──────────┼─│✓ MATCH│ └─▲─────┴─┴───────────┘ └───────┘ │ ┌───────┐ └────│✓ MATCH│ └───────┘ *Column bounded proximity* `withinColumns = 3` ┌────────┐ ┌────┬─┤fragment├─┬───┐ │ └──────┬─┤ │ ┌───────────┐ │ │ │a│◀┼───┼─│+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────┘ │┌─┐ │ │p│ │ │ ┌──▶│a│ ┌─┐ └─┘ │ ┌───────────┐ │ │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│ │ │ ┘ │ └───────────┘ │ └── -3C ───0C─── +3C ─┘ │ ┌─────────┐ │ │ -4C ✗ NO│ └──│ MATCH │ └─────────┘ *Line bounded proximity* `withinLines = 4` ┌────────┐ ┌─────┤fragment├─────┐ +4L─ ─ ┴────────┘─ ─ ─│ │ │ │ ┌─┐ │ ┌────────────┐ │ ┌─┐ │a│◀──┼─│+1L ✓ MATCH │ 0L ┌─┐ │p│ └─┘ │ ├────────────┤ │ │a│◀──┴─┴────────┼─│-1L ✓ MATCH │ │ └─┘ │ └────────────┘ │ │ ┌─────────┐ -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │ │ │a│◀┼─│ MATCH │ └────────────────┴─┴─┘ └─────────┘ *Line and column bounded proximity* `withinLines = 4` `withinColumns = 3` ┌────────┐ ┌─────┤fragment├─────┐ +4L ┌└────────┴ ┐ │ │ ┌─┐ │ ┌───────────────┐ │ │ │a│◀┼───┼─│+2L/+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────────┘ 0L │ │p│ │ │ │ └─┘ │ │ │ │ │ ┌────────────┐ -4L ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│ │ │a│◀┼─│ MATCH │ └───-3C────0L───+3C┴─┘ └────────────┘ ``` ### [`v8.27.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.1...v8.27.2) ##### Changelog - [`c7acf33`](https://github.com/gitleaks/gitleaks/commit/c7acf33) Merge branch 'master' of github.com:gitleaks/gitleaks - [`9faaa4a`](https://github.com/gitleaks/gitleaks/commit/9faaa4a) Add experimental allowlist optimizations ([#​1731](https://github.com/gitleaks/gitleaks/issues/1731)) - [`79068b3`](https://github.com/gitleaks/gitleaks/commit/79068b3) Detect Notion Public API Keys [#​1889](https://github.com/gitleaks/gitleaks/issues/1889) ([#​1890](https://github.com/gitleaks/gitleaks/issues/1890)) ### [`v8.27.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.0...v8.27.1) ##### Changelog - [`80468ef`](https://github.com/gitleaks/gitleaks/commit/80468ef) Merge branch 'master' of github.com:gitleaks/gitleaks - [`ef82237`](https://github.com/gitleaks/gitleaks/commit/ef82237) fix(atlassian): reduce false-positives for v1 pattern ([#​1892](https://github.com/gitleaks/gitleaks/issues/1892)) - [`2463f11`](https://github.com/gitleaks/gitleaks/commit/2463f11) Fix log suppresion issue ([#​1887](https://github.com/gitleaks/gitleaks/issues/1887)) - [`6f251ee`](https://github.com/gitleaks/gitleaks/commit/6f251ee) Added Heroku API Key New Version ([#​1883](https://github.com/gitleaks/gitleaks/issues/1883)) - [`20f9a1d`](https://github.com/gitleaks/gitleaks/commit/20f9a1d) Add Platform Bitbucket ([#​1886](https://github.com/gitleaks/gitleaks/issues/1886)) - [`722ce82`](https://github.com/gitleaks/gitleaks/commit/722ce82) Add Platform Gitea ([#​1884](https://github.com/gitleaks/gitleaks/issues/1884)) - [`79780b8`](https://github.com/gitleaks/gitleaks/commit/79780b8) Merge branch 'master' of github.com:gitleaks/gitleaks - [`c5683ca`](https://github.com/gitleaks/gitleaks/commit/c5683ca) prevent default warn message when max-archive-depth not set ([#​1881](https://github.com/gitleaks/gitleaks/issues/1881)) - [`0357c3c`](https://github.com/gitleaks/gitleaks/commit/0357c3c) prevent default warn message when max-archive-depth not set ### [`v8.27.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.26.0...v8.27.0) ##### Changelog - [`782f310`](https://github.com/gitleaks/gitleaks/commit/782f310) Archive support ([#​1872](https://github.com/gitleaks/gitleaks/issues/1872)) - [`489d13c`](https://github.com/gitleaks/gitleaks/commit/489d13c) Update README.md - [`d29ee55`](https://github.com/gitleaks/gitleaks/commit/d29ee55) Reduce aws-access-token false positives ([#​1876](https://github.com/gitleaks/gitleaks/issues/1876)) - [`611db65`](https://github.com/gitleaks/gitleaks/commit/611db65) Set `pass_filenames` to `false` for Docker hook ([#​1850](https://github.com/gitleaks/gitleaks/issues/1850)) - [`0589ae0`](https://github.com/gitleaks/gitleaks/commit/0589ae0) unicode decoding ([#​1854](https://github.com/gitleaks/gitleaks/issues/1854)) - [`82f7e32`](https://github.com/gitleaks/gitleaks/commit/82f7e32) Diagnostics ([#​1856](https://github.com/gitleaks/gitleaks/issues/1856)) - [`f97a9ee`](https://github.com/gitleaks/gitleaks/commit/f97a9ee) chore: include decoder in debug log ([#​1853](https://github.com/gitleaks/gitleaks/issues/1853)) Got another [@​bplaxco](https://github.com/bplaxco) release. Cheers! ##### Archive Scanning Sometimes secrets are packaged within archive files like zip files or tarballs, making them difficult to discover. Now you can tell gitleaks to automatically extract and scan the contents of archives. The flag `--max-archive-depth` enables this feature for both `dir` and `git` scan types. The default value of "0" means this feature is disabled by default. Recursive scanning is supported since archives can also contain other archives. The `--max-archive-depth` flag sets the recursion limit. Recursion stops when there are no new archives to extract, so setting a very high max depth just sets the potential to go that deep. It will only go as deep as it needs to. The findings for secrets located within an archive will include the path to the file inside the archive. Inner paths are separated with `!`. Example finding (shortened for brevity): ``` Finding: DB_PASSWORD=8ae31cacf141669ddfb5da ... File: testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod Line: 4 Commit: 6e6ee6596d337bb656496425fb98644eb62b4a82 ... Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4 Link: https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz ``` This means a secret was detected on line 4 of `files/.env.prod.` which is in `archives/files.tar` which is in `testdata/archives/nested.tar.gz`. Currently supported formats: The [compression](https://github.com/mholt/archives?tab=readme-ov-file#supported-compression-formats) and [archive](https://github.com/mholt/archives?tab=readme-ov-file#supported-archive-formats) formats supported by mholt's [archives package](https://github.com/mholt/archives) are supported. ### [`v8.26.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.26.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.1...v8.26.0) ##### Changelog - [`78eebac`](https://github.com/gitleaks/gitleaks/commit/78eebac) Percent/URL Decoding Support ([#​1831](https://github.com/gitleaks/gitleaks/issues/1831)) - [`6f967ca`](https://github.com/gitleaks/gitleaks/commit/6f967ca) fix(kubernetes): remove slow element from pat ([#​1848](https://github.com/gitleaks/gitleaks/issues/1848)) - [`88f56d3`](https://github.com/gitleaks/gitleaks/commit/88f56d3) feat: identify slow file ([#​1479](https://github.com/gitleaks/gitleaks/issues/1479)) - [`9609928`](https://github.com/gitleaks/gitleaks/commit/9609928) rm 1password detect test since we test it in cfg gen - [`23cb69f`](https://github.com/gitleaks/gitleaks/commit/23cb69f) feat(rules): Add 1Password secret key detection ([#​1834](https://github.com/gitleaks/gitleaks/issues/1834)) Calling this one [@​bplaxco](https://github.com/bplaxco)'s release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his PR, I think he's either a wizard or some time traveling AI. Dude [is wicked smaht](https://www.youtube.com/watch?v=hIdsjNGCGz4) Anyways, Gitleaks now supports the following decoders: `hex`, `percent(url enconding)`, and `b64`. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed! Here's an example: ``` ~/code/gitleaks-org/gitleaks (master) cat decode.txt text below aGVsbG8sIHdvcmxkIQ%3D%3D%0A text above ~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug ○ │╲ │ ○ ○ ░ ░ gitleaks 4:08PM DBG using stdlib regex engine 4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config 4:08PM DBG found .gitleaksignore file: .gitleaksignore 4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n" 4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!" 4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms 4:08PM INF no leaks found ``` ### [`v8.25.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.0...v8.25.1) ##### Changelog - [`d1c7759`](https://github.com/gitleaks/gitleaks/commit/d1c7759) fix(detect): test all allowlists ([#​1845](https://github.com/gitleaks/gitleaks/issues/1845)) Big thanks [@​rgmz](https://github.com/rgmz) ### [`v8.25.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.25.0) ##### Changelog - [`4451b45`](https://github.com/gitleaks/gitleaks/commit/4451b45) feat(config): define multiple global allowlists ([#​1777](https://github.com/gitleaks/gitleaks/issues/1777)) (cause for the minor bump change) - [`7fb21a4`](https://github.com/gitleaks/gitleaks/commit/7fb21a4) feat(rules): Add Perplexity AI API key detection ([#​1825](https://github.com/gitleaks/gitleaks/issues/1825)) - [`f6193bc`](https://github.com/gitleaks/gitleaks/commit/f6193bc) feat(gcp): increase rule entropy ([#​1840](https://github.com/gitleaks/gitleaks/issues/1840)) - [`9bc7257`](https://github.com/gitleaks/gitleaks/commit/9bc7257) Adding clickhouse scanner ([#​1826](https://github.com/gitleaks/gitleaks/issues/1826)) - [`b6cc71a`](https://github.com/gitleaks/gitleaks/commit/b6cc71a) fix(baseline): work with --redact ([#​1741](https://github.com/gitleaks/gitleaks/issues/1741)) - [`cfdeb0d`](https://github.com/gitleaks/gitleaks/commit/cfdeb0d) feat(rule): validate & sort rule when generating ([#​1817](https://github.com/gitleaks/gitleaks/issues/1817)) ### [`v8.24.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3) ##### Changelog - [`107a418`](https://github.com/gitleaks/gitleaks/commit/107a418) Add support for GitLab Runner Tokens (Routable) ([#​1820](https://github.com/gitleaks/gitleaks/issues/1820)) - [`7fac002`](https://github.com/gitleaks/gitleaks/commit/7fac002) bump repo version in pre-commit example ([#​1815](https://github.com/gitleaks/gitleaks/issues/1815)) - [`4b54104`](https://github.com/gitleaks/gitleaks/commit/4b54104) Fix currentLine out of bounds error ([#​1810](https://github.com/gitleaks/gitleaks/issues/1810)) - [`af7d5bc`](https://github.com/gitleaks/gitleaks/commit/af7d5bc) add support for Azure DevOps platform in SCM detection and link ([#​1807](https://github.com/gitleaks/gitleaks/issues/1807)) - [`3e8cd2d`](https://github.com/gitleaks/gitleaks/commit/3e8cd2d) Add MaxMind license key rule ([#​1771](https://github.com/gitleaks/gitleaks/issues/1771)) - [`ddcc753`](https://github.com/gitleaks/gitleaks/commit/ddcc753) implement new openai regex pattern ([#​1780](https://github.com/gitleaks/gitleaks/issues/1780)) - [`9708e65`](https://github.com/gitleaks/gitleaks/commit/9708e65) A first attempt adding hooks.slack.com/triggers/ ([#​1792](https://github.com/gitleaks/gitleaks/issues/1792)) - [`198e410`](https://github.com/gitleaks/gitleaks/commit/198e410) feat(generic): tweak false-positives ([#​1803](https://github.com/gitleaks/gitleaks/issues/1803)) - [`e273a97`](https://github.com/gitleaks/gitleaks/commit/e273a97) chore: tweak logging and readme for GITLEAKS\_CONFIG\_TOML feature ([#​1802](https://github.com/gitleaks/gitleaks/issues/1802)) - [`a503b58`](https://github.com/gitleaks/gitleaks/commit/a503b58) feat: add option to set config from env var with toml content ([#​1662](https://github.com/gitleaks/gitleaks/issues/1662)) ### [`v8.24.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2) ##### What's Changed - Fix `platform` flag being ignored with `gitleaks detect` by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1765 - Make AddFinding public by [@​bplaxco](https://github.com/bplaxco) in https://github.com/gitleaks/gitleaks/pull/1767 - FIX upgrade x/crypto to 0.31.0 to get rid of CVE-2024-45337 by [@​cgoessen](https://github.com/cgoessen) in https://github.com/gitleaks/gitleaks/pull/1768 - Upgrade rs/zerolog, spf13/cobra, and spf13/viper by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1769 - Infer `report-format` from `report-path` extension if no value is provided by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1776 - `generic-api-key`: ignore csrf-tokens by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1779 - Prevent Yocto/BitBake false positives with generic-api-key rule by [@​Okeanos](https://github.com/Okeanos) in https://github.com/gitleaks/gitleaks/pull/1783 - Fix decoded line allowlist by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1788 - Readme badge revisions by [@​jessp01](https://github.com/jessp01) in https://github.com/gitleaks/gitleaks/pull/1744 - feat(regexp): use standard regexp by default, make go-re2 opt-in by [@​twpayne](https://github.com/twpayne) in https://github.com/gitleaks/gitleaks/pull/1798 - gore2 release tags by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1801 ##### New Contributors - [@​cgoessen](https://github.com/cgoessen) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1768 - [@​Okeanos](https://github.com/Okeanos) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1783 - [@​jessp01](https://github.com/jessp01) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1744 - [@​twpayne](https://github.com/twpayne) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1798 **Full Changelog**: https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2 ### [`v8.24.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0) ##### Changelog - [`c2afd56`](https://github.com/gitleaks/gitleaks/commit/c2afd56) Make paths and fingerprints platform-agnostic ([#​1622](https://github.com/gitleaks/gitleaks/issues/1622)) - [`818e32f`](https://github.com/gitleaks/gitleaks/commit/818e32f) Add Sonar rule ([#​1756](https://github.com/gitleaks/gitleaks/issues/1756)) - [`3fa5a3a`](https://github.com/gitleaks/gitleaks/commit/3fa5a3a) Minor false positive improvements ([#​1758](https://github.com/gitleaks/gitleaks/issues/1758)) - [`2020e6a`](https://github.com/gitleaks/gitleaks/commit/2020e6a) Add support for streaming DetectReader ([#​1760](https://github.com/gitleaks/gitleaks/issues/1760)) - [`9122a2d`](https://github.com/gitleaks/gitleaks/commit/9122a2d) chore: Update github.com/wasilibs/go-re2 to v1.9.0 ([#​1763](https://github.com/gitleaks/gitleaks/issues/1763)) - [`398d0c4`](https://github.com/gitleaks/gitleaks/commit/398d0c4) docs: describe extended rules take precedence over base rules ([#​1563](https://github.com/gitleaks/gitleaks/issues/1563)) - [`ae26eff`](https://github.com/gitleaks/gitleaks/commit/ae26eff) feat(git): disable link generation ([#​1748](https://github.com/gitleaks/gitleaks/issues/1748)) - [`c6424a6`](https://github.com/gitleaks/gitleaks/commit/c6424a6) added sourcegraph token rule ([#​1736](https://github.com/gitleaks/gitleaks/issues/1736)) - [`6411402`](https://github.com/gitleaks/gitleaks/commit/6411402) feat(config): add rule for .p12 files ([#​1738](https://github.com/gitleaks/gitleaks/issues/1738)) - [`d71d95d`](https://github.com/gitleaks/gitleaks/commit/d71d95d) add deno.lock to default exclusions ([#​1740](https://github.com/gitleaks/gitleaks/issues/1740)) ### [`v8.23.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3) ##### Changelog - [`3188ad6`](https://github.com/gitleaks/gitleaks/commit/3188ad6) Don't exit with error if git repacking is required ([#​1711](https://github.com/gitleaks/gitleaks/issues/1711)) - [`7fc11bb`](https://github.com/gitleaks/gitleaks/commit/7fc11bb) refactor(config): use non-capture groups for allowlists ([#​1735](https://github.com/gitleaks/gitleaks/issues/1735)) - [`36c52c6`](https://github.com/gitleaks/gitleaks/commit/36c52c6) chore: Enhance `curl-auth-user` to detect empty usernames or passwords ([#​1726](https://github.com/gitleaks/gitleaks/issues/1726)) - [`1f323d8`](https://github.com/gitleaks/gitleaks/commit/1f323d8) fix(cmd): read log-opts before GitLogCmd ([#​1730](https://github.com/gitleaks/gitleaks/issues/1730)) ### [`v8.23.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2) ##### Changelog - [`d88bc09`](https://github.com/gitleaks/gitleaks/commit/d88bc09) facebook keyword - [`3fdaefd`](https://github.com/gitleaks/gitleaks/commit/3fdaefd) fix(meraki): restrict keyword case ([#​1722](https://github.com/gitleaks/gitleaks/issues/1722)) - [`f3ae52e`](https://github.com/gitleaks/gitleaks/commit/f3ae52e) feat(generic-api-key): detect base64 ([#​1598](https://github.com/gitleaks/gitleaks/issues/1598)) - [`d6a828a`](https://github.com/gitleaks/gitleaks/commit/d6a828a) great branch name ([#​1721](https://github.com/gitleaks/gitleaks/issues/1721)) - [`d2ffffe`](https://github.com/gitleaks/gitleaks/commit/d2ffffe) fix(git): remove .git suffix for links ([#​1716](https://github.com/gitleaks/gitleaks/issues/1716)) - [`a43dc0d`](https://github.com/gitleaks/gitleaks/commit/a43dc0d) chore: refine generic-api-key fps + trace logging ([#​1720](https://github.com/gitleaks/gitleaks/issues/1720)) - [`69ed20e`](https://github.com/gitleaks/gitleaks/commit/69ed20e) fix(generate): move newline out of char range ([#​1719](https://github.com/gitleaks/gitleaks/issues/1719)) - [`52b895a`](https://github.com/gitleaks/gitleaks/commit/52b895a) newline literal ([#​1718](https://github.com/gitleaks/gitleaks/issues/1718)) - [`3f4d91f`](https://github.com/gitleaks/gitleaks/commit/3f4d91f) build: support either stdlib or 3rd-party regexp ([#​1706](https://github.com/gitleaks/gitleaks/issues/1706)) - [`049f5b2`](https://github.com/gitleaks/gitleaks/commit/049f5b2) chore(detect): update trace logging ([#​1713](https://github.com/gitleaks/gitleaks/issues/1713)) - [`7a6183d`](https://github.com/gitleaks/gitleaks/commit/7a6183d) feat(git): redact passwords from remote URL ([#​1709](https://github.com/gitleaks/gitleaks/issues/1709)) - [`3c7f3f0`](https://github.com/gitleaks/gitleaks/commit/3c7f3f0) feat(git): include link in report ([#​1698](https://github.com/gitleaks/gitleaks/issues/1698)) - [`0e3f4f7`](https://github.com/gitleaks/gitleaks/commit/0e3f4f7) chore: reduce generic-api-key fps ([#​1707](https://github.com/gitleaks/gitleaks/issues/1707)) - [`3ed8567`](https://github.com/gitleaks/gitleaks/commit/3ed8567) blorp - [`e977850`](https://github.com/gitleaks/gitleaks/commit/e977850) added new rule for cisco meraki api key ([#​1700](https://github.com/gitleaks/gitleaks/issues/1700)) - [`ad7a4fb`](https://github.com/gitleaks/gitleaks/commit/ad7a4fb) feat: general fp tweaks ([#​1703](https://github.com/gitleaks/gitleaks/issues/1703)) - [`b2cf03c`](https://github.com/gitleaks/gitleaks/commit/b2cf03c) chore(generate): use \x60 instead of literal ([#​1702](https://github.com/gitleaks/gitleaks/issues/1702)) - [`a3f623c`](https://github.com/gitleaks/gitleaks/commit/a3f623c) chore(regex): simplify secretPrefix, suffix ([#​1620](https://github.com/gitleaks/gitleaks/issues/1620)) - [`cc71bb1`](https://github.com/gitleaks/gitleaks/commit/cc71bb1) update version for pre-commit in README.md ([#​1699](https://github.com/gitleaks/gitleaks/issues/1699)) ### [`v8.23.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1) ##### Changelog - [`7bad9f7`](https://github.com/gitleaks/gitleaks/commit/7bad9f7) chore(gcp): add firebase example keys to the gcp-api-key allowlists ([#​1635](https://github.com/gitleaks/gitleaks/issues/1635)) - [`977236c`](https://github.com/gitleaks/gitleaks/commit/977236c) fix: unaligned 64-bit atomic operation panic ([#​1696](https://github.com/gitleaks/gitleaks/issues/1696)) - [`a211b16`](https://github.com/gitleaks/gitleaks/commit/a211b16) force push to master everyday - [`0e5f644`](https://github.com/gitleaks/gitleaks/commit/0e5f644) feat(config): disable extended rule ([#​1535](https://github.com/gitleaks/gitleaks/issues/1535)) - [`f320a60`](https://github.com/gitleaks/gitleaks/commit/f320a60) style: prevent globbing and word splitting ([#​1543](https://github.com/gitleaks/gitleaks/issues/1543)) - [`c4526b2`](https://github.com/gitleaks/gitleaks/commit/c4526b2) refactor(generic-api-key): remove hard-coded 'magic' ([#​1600](https://github.com/gitleaks/gitleaks/issues/1600)) - [`748076d`](https://github.com/gitleaks/gitleaks/commit/748076d) chore(generate): add failing test case ([#​1690](https://github.com/gitleaks/gitleaks/issues/1690)) ### [`v8.23.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.1...v8.23.0) ##### Changelog - [`db8e5e6`](https://github.com/gitleaks/gitleaks/commit/db8e5e6) feat(generate): use multiple allowlists ([#​1691](https://github.com/gitleaks/gitleaks/issues/1691)) - [`973c794`](https://github.com/gitleaks/gitleaks/commit/973c794) chore(rules): include fps in reference ([#​1471](https://github.com/gitleaks/gitleaks/issues/1471)) - [`f0d4499`](https://github.com/gitleaks/gitleaks/commit/f0d4499) Add comma as operator for GenerateSemiGenericRegex ([#​1679](https://github.com/gitleaks/gitleaks/issues/1679)) - [`ab38a46`](https://github.com/gitleaks/gitleaks/commit/ab38a46) refactor: central logger ([#​1692](https://github.com/gitleaks/gitleaks/issues/1692)) - [`b022d1c`](https://github.com/gitleaks/gitleaks/commit/b022d1c) friendship ended with tines READ THIS!!! The default gitleaks config now uses `[[rules.allowlists]]` ```toml ##### ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. ##### This change was backwards-compatible: instances of `[rules.allowlist]` still work. # ##### You can define multiple allowlists for a rule to reduce false positives. ##### A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. [[rules.allowlists]] description = "ignore commit A" ##### When multiple criteria are defined the default condition is "OR". ##### e.g., this can match on |commits| OR |paths| OR |stopwords|. condition = "OR" commits = [ "commit-A", "commit-B"] paths = [ '''go\.mod''', '''go\.sum''' ] ##### note: stopwords targets the extracted secret, not the entire regex match ##### like 'regexes' does. (stopwords introduced in 8.8.0) stopwords = [ '''client''', '''endpoint''', ] [[rules.allowlists]] ##### The "AND" condition can be used to make sure all criteria match. ##### e.g., this matches if |regexes| AND |paths| are satisfied. condition = "AND" ##### note: |regexes| defaults to check the _Secret_ in the finding. ##### Acceptable values for |regexTarget| are "secret" (default), "match", and "line". regexTarget = "match" regexes = [ '''(?i)parseur[il]''' ] paths = [ '''package-lock\.json''' ] ``` ### [`v8.22.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.0...v8.22.1) ##### Changelog - [`b69b515`](https://github.com/gitleaks/gitleaks/commit/b69b515) Entropy trace ([#​1659](https://github.com/gitleaks/gitleaks/issues/1659)) - [`7357adc`](https://github.com/gitleaks/gitleaks/commit/7357adc) build: add 'toolchain' to go.mod ([#​1682](https://github.com/gitleaks/gitleaks/issues/1682)) - [`4c3da6e`](https://github.com/gitleaks/gitleaks/commit/4c3da6e) refactor(detect): create readUntilSafeBoundary + add tests ([#​1676](https://github.com/gitleaks/gitleaks/issues/1676)) - [`dbe3746`](https://github.com/gitleaks/gitleaks/commit/dbe3746) twitter really does suck ass now - [`7edfc6b`](https://github.com/gitleaks/gitleaks/commit/7edfc6b) chore(tests): test cases for generate.go ([#​1623](https://github.com/gitleaks/gitleaks/issues/1623)) - [`efe40ca`](https://github.com/gitleaks/gitleaks/commit/efe40ca) fix: only use non-empty secret groups ([#​1632](https://github.com/gitleaks/gitleaks/issues/1632)) - [`7cb5f6f`](https://github.com/gitleaks/gitleaks/commit/7cb5f6f) build: upgrade sprig v2->v3 ([#​1674](https://github.com/gitleaks/gitleaks/issues/1674)) - [`2930537`](https://github.com/gitleaks/gitleaks/commit/2930537) fix: generate report file even if no findings ([#​1673](https://github.com/gitleaks/gitleaks/issues/1673)) ### [`v8.22.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.4...v8.22.0) ##### Changelog - [`a91c671`](https://github.com/gitleaks/gitleaks/commit/a91c671) replace std library regex engine with go-re2 ([#​1669](https://github.com/gitleaks/gitleaks/issues/1669)) *** This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to [@​ahrav](https://github.com/ahrav) ### [`v8.21.4`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.4) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.3...v8.21.4) ##### Changelog - [`906085f`](https://github.com/gitleaks/gitleaks/commit/906085f) Update golang version to 1.23 ([#​1672](https://github.com/gitleaks/gitleaks/issues/1672)) - [`8a83062`](https://github.com/gitleaks/gitleaks/commit/8a83062) log bytes ([#​1670](https://github.com/gitleaks/gitleaks/issues/1670)) ### [`v8.21.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.21.3) ##### Changelog - [`a9e6d8c`](https://github.com/gitleaks/gitleaks/commit/a9e6d8c) go mod 1.23 - [`2f73a3e`](https://github.com/gitleaks/gitleaks/commit/2f73a3e) Ensure keywords are downcased ([#​1633](https://github.com/gitleaks/gitleaks/issues/1633)) - [`f696605`](https://github.com/gitleaks/gitleaks/commit/f696605) feat: add settlemint api keys detection ([#​1663](https://github.com/gitleaks/gitleaks/issues/1663)) - [`0bf13fc`](https://github.com/gitleaks/gitleaks/commit/0bf13fc) feat(dir): better chunking ([#​1665](https://github.com/gitleaks/gitleaks/issues/1665)) - [`83e99ba`](https://github.com/gitleaks/gitleaks/commit/83e99ba) feat(report): allow user-defined templates ([#​1650](https://github.com/gitleaks/gitleaks/issues/1650)) - [`e393d29`](https://github.com/gitleaks/gitleaks/commit/e393d29) Add support for GitLab routable tokens ([#​1656](https://github.com/gitleaks/gitleaks/issues/1656)) - [`263ce82`](https://github.com/gitleaks/gitleaks/commit/263ce82) Add freemius secret key detection ([#​1611](https://github.com/gitleaks/gitleaks/issues/1611)) - [`3c0e068`](https://github.com/gitleaks/gitleaks/commit/3c0e068) fix(kubernetes): only match 'kind: secret' ([#​1649](https://github.com/gitleaks/gitleaks/issues/1649)) - [`f3adda0`](https://github.com/gitleaks/gitleaks/commit/f3adda0) feat: use STDOUT when report file not specified ([#​1642](https://github.com/gitleaks/gitleaks/issues/1642)) - [`ed205a5`](https://github.com/gitleaks/gitleaks/commit/ed205a5) fix(dir): skip opening file\&dir if allowlist matches ([#​1653](https://github.com/gitleaks/gitleaks/issues/1653)) - [`6018012`](https://github.com/gitleaks/gitleaks/commit/6018012) fix: increase chunk size 10kb -> 100kb ([#​1652](https://github.com/gitleaks/gitleaks/issues/1652)) - [`7f77987`](https://github.com/gitleaks/gitleaks/commit/7f77987) feat: detect sentry.io tokens in the new format ([#​1640](https://github.com/gitleaks/gitleaks/issues/1640)) - [`48a2e0e`](https://github.com/gitleaks/gitleaks/commit/48a2e0e) refactor: pre-commit hooks ([#​1627](https://github.com/gitleaks/gitleaks/issues/1627)) - [`4e303d0`](https://github.com/gitleaks/gitleaks/commit/4e303d0) fix(easypost): only detect tokens of correct length ([#​1628](https://github.com/gitleaks/gitleaks/issues/1628)) - [`c1add1d`](https://github.com/gitleaks/gitleaks/commit/c1add1d) feat(dir): continue on permission error ([#​1621](https://github.com/gitleaks/gitleaks/issues/1621)) - [`202106a`](https://github.com/gitleaks/gitleaks/commit/202106a) Add human readable description for curl rules ([#​1625](https://github.com/gitleaks/gitleaks/issues/1625)) - [`8e94f98`](https://github.com/gitleaks/gitleaks/commit/8e94f98) Add option to include `Line` field in report ([#​1616](https://github.com/gitleaks/gitleaks/issues/1616)) - [`dbb42a7`](https://github.com/gitleaks/gitleaks/commit/dbb42a7) hm (great comment) - [`2599460`](https://github.com/gitleaks/gitleaks/commit/2599460) Update README.md - [`8ffb980`](https://github.com/gitleaks/gitleaks/commit/8ffb980) nop for stupid build - [`4181ad6`](https://github.com/gitleaks/gitleaks/commit/4181ad6) Add new jira api token pattern ([#​1601](https://github.com/gitleaks/gitleaks/issues/1601)) - [`48ea14b`](https://github.com/gitleaks/gitleaks/commit/48ea14b) feat: update global & generic allowlist ([#​1618](https://github.com/gitleaks/gitleaks/issues/1618)) - [`81f0002`](https://github.com/gitleaks/gitleaks/commit/81f0002) fix(vault-service-token): ensure that TPS contains digits ([#​1614](https://github.com/gitleaks/gitleaks/issues/1614)) - [`c11adc9`](https://github.com/gitleaks/gitleaks/commit/c11adc9) Generate comprehensive secret samples ([#​1484](https://github.com/gitleaks/gitleaks/issues/1484)) - [`d1d9054`](https://github.com/gitleaks/gitleaks/commit/d1d9054) fix(aws): detect token in url ([#​1615](https://github.com/gitleaks/gitleaks/issues/1615)) - [`5fe58bf`](https://github.com/gitleaks/gitleaks/commit/5fe58bf) fix(rules): entropy, uppercase in samples ([#​1593](https://github.com/gitleaks/gitleaks/issues/1593)) - [`5c2e813`](https://github.com/gitleaks/gitleaks/commit/5c2e813) feat: tweak rules ([#​1608](https://github.com/gitleaks/gitleaks/issues/1608)) ### [`v8.21.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) ##### Changelog - [`43fae35`](https://github.com/gitleaks/gitleaks/commit/43fae35) feat(rules): create Octopus Deploy api key ([#​1602](https://github.com/gitleaks/gitleaks/issues/1602)) - [`a158e4f`](https://github.com/gitleaks/gitleaks/commit/a158e4f) fix(aws-access-token): only match if correct length ([#​1584](https://github.com/gitleaks/gitleaks/issues/1584)) - [`b6e0eee`](https://github.com/gitleaks/gitleaks/commit/b6e0eee) fix(config): ignore jquery/swagger w/o version ([#​1607](https://github.com/gitleaks/gitleaks/issues/1607)) - [`722e7d8`](https://github.com/gitleaks/gitleaks/commit/722e7d8) feat: add new GitLab tokens ([#​1560](https://github.com/gitleaks/gitleaks/issues/1560)) - [`961f2e6`](https://github.com/gitleaks/gitleaks/commit/961f2e6) feat(generic-api-key): tune false positives ([#​1606](https://github.com/gitleaks/gitleaks/issues/1606)) - [`e734fcf`](https://github.com/gitleaks/gitleaks/commit/e734fcf) Create .gitleaks.toml ([#​1605](https://github.com/gitleaks/gitleaks/issues/1605)) - [`7206d6b`](https://github.com/gitleaks/gitleaks/commit/7206d6b) feat(curl): tweak tps and fps ([#​1603](https://github.com/gitleaks/gitleaks/issues/1603)) - [`2db25f1`](https://github.com/gitleaks/gitleaks/commit/2db25f1) feat(config): ignore swagger-ui assets ([#​1604](https://github.com/gitleaks/gitleaks/issues/1604)) - [`e97695b`](https://github.com/gitleaks/gitleaks/commit/e97695b) feat(generic-api-key): exclude keywords ([#​1587](https://github.com/gitleaks/gitleaks/issues/1587)) - [`0afb525`](https://github.com/gitleaks/gitleaks/commit/0afb525) feat(okta): bump entropy to 4 ([#​1599](https://github.com/gitleaks/gitleaks/issues/1599)) - [`2068870`](https://github.com/gitleaks/gitleaks/commit/2068870) feat: update global allowlist ([#​1597](https://github.com/gitleaks/gitleaks/issues/1597)) - [`8cf93b9`](https://github.com/gitleaks/gitleaks/commit/8cf93b9) refactor(allowlist): deduplicate commits & keywords ([#​1596](https://github.com/gitleaks/gitleaks/issues/1596)) - [`50c2818`](https://github.com/gitleaks/gitleaks/commit/50c2818) feat(config): ignore jquery static assets ([#​1595](https://github.com/gitleaks/gitleaks/issues/1595)) - [`455ae0a`](https://github.com/gitleaks/gitleaks/commit/455ae0a) More rule fixes ([#​1586](https://github.com/gitleaks/gitleaks/issues/1586)) - [`5407c44`](https://github.com/gitleaks/gitleaks/commit/5407c44) chore: log skipped symlinks ([#​1591](https://github.com/gitleaks/gitleaks/issues/1591)) - [`d03d6c4`](https://github.com/gitleaks/gitleaks/commit/d03d6c4) feat: match left side of identifier ([#​1585](https://github.com/gitleaks/gitleaks/issues/1585)) - [`851c11a`](https://github.com/gitleaks/gitleaks/commit/851c11a) what secrets? - [`8cfa6b2`](https://github.com/gitleaks/gitleaks/commit/8cfa6b2) fix(rules): add entropy ([#​1580](https://github.com/gitleaks/gitleaks/issues/1580)) - [`9152eaa`](https://github.com/gitleaks/gitleaks/commit/9152eaa) feat(aws): add entropy & allowlist ([#​1582](https://github.com/gitleaks/gitleaks/issues/1582)) - [`93acc6e`](https://github.com/gitleaks/gitleaks/commit/93acc6e) feat(rules): add 1password token ([#​1583](https://github.com/gitleaks/gitleaks/issues/1583)) - [`83a5724`](https://github.com/gitleaks/gitleaks/commit/83a5724) feat(config): add curl header rule ([#​1576](https://github.com/gitleaks/gitleaks/issues/1576)) ### [`v8.21.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.0...v8.21.1) ##### Changelog - [`cf5334f`](https://github.com/gitleaks/gitleaks/commit/cf5334f) feat: add curl basic auth rule ([#​1575](https://github.com/gitleaks/gitleaks/issues/1575)) - [`d07b394`](https://github.com/gitleaks/gitleaks/commit/d07b394) Update spelling in README.md ([#​1574](https://github.com/gitleaks/gitleaks/issues/1574)) - [`5c03fa4`](https://github.com/gitleaks/gitleaks/commit/5c03fa4) refactor(allowlist): use iota for condition ([#​1569](https://github.com/gitleaks/gitleaks/issues/1569)) - [`12034a7`](https://github.com/gitleaks/gitleaks/commit/12034a7) refactor(config): temporarily switch to \[rules.allowlist] ([#​1573](https://github.com/gitleaks/gitleaks/issues/1573)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/79 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4476cbb518 |
docs(decisions): add ADR-0018 — environment configuration strategy (#80)
## Summary
Records the per-environment config strategy for both apps. ADR-only — no code changes; the implementation is anchored in §Confirmation against the next feature work that touches per-environment values.
## What lands
[**ADR-0018 — Environment configuration**](docs/decisions/0018-environment-configuration-strategy.md):
- **SPA**: Angular `environment.ts` + project.json `fileReplacements`. Build-time substitution; no runtime config fetch (rejected for the LCP/TTFB cost it would add and the deploy-time HTML rewrite that the alternatives need). Concretely cleans up the hard-coded URLs we left in `observability/tracing.ts` and `home-status.service.ts` ("hard-coded for v1 — env-config when it lands" comments).
- **BFF**: keep `process.env` + small per-key boot-time validators (the shape `apps/portal-bff/src/config/check-database-url.ts` already follows). `@nestjs/config` rejected as too heavy for the current key count; `zod` not justified yet.
- **Audit log connection**: formalises the `AUDIT_DATABASE_URL` split that ADR-0013 §"Wired as features land" already pointed at. When set, the `AuditModule` instantiates a second Prisma client with `audit_writer`-only credentials (defense in depth); when unset, the dev fallback (shared pool + `SET LOCAL ROLE audit_writer` per transaction) keeps working. A boot-time `UPDATE`-rejection self-test runs against the dedicated pool when configured — refuses to start if the pool can mutate the audit table.
The §Confirmation block cross-references the env-var-as-boot-gate items already pre-figured in ADR-0009 / ADR-0010 / ADR-0012 / ADR-0013 / ADR-0014, so the validator pattern is the single landing place when those features ship.
## What does NOT change in this PR
- No `apps/portal-shell/src/environments/*.ts` files yet — landed alongside the next feature that actually needs per-environment values.
- No `AUDIT_DATABASE_URL` validator in BFF — same; lands when the second pool is wired.
- No CLAUDE.md restructuring; just one extra bullet under the Architecture summary referencing ADR-0018.
## Doc updates
- `docs/decisions/README.md` index — new row for ADR-0018.
- `CLAUDE.md` Architecture summary — one-line reference to ADR-0018 between the perf-budget and local-quality-gates entries.
## Test plan
- [ ] CI green on this PR (`format:check`).
- [ ] ADR-0018 renders in the doc index with the right tags (`frontend`, `backend`, `infrastructure`, `process`) and 2026-05-10 date.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #80
|
||
|
|
4473b1d4a4 |
chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
## Summary Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories. Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName. `extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct. ## What lands - **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet"). - **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments. - **`.gitea/workflows/security-scheduled.yml`** — same. ## Verified Node-side dry-run of the regex against both workflow files: ``` ci.yml → trivy 0.70.0, gitleaks 8.21.0 security-scheduled.yml → trivy 0.70.0, gitleaks 8.21.0 ``` All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures. ## Test plan - [ ] CI green on this PR. - [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74). - [ ] No manual "bump from the releases page" reminders left in the workflow YAML. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #78 |
||
|
|
922a44bb50 |
chore(ci): auto-merge low-risk renovate updates (#77)
## Summary After ~10 days of clean Renovate track record (~30 PRs merged without regression beyond the TS/ESLint/webpack-cli majors that the dashboard-approval rule now catches), enable auto-merge on the lowest-risk update types. CI is the gate — `check` / `scan` / `a11y` going red leaves the PR open for manual triage. | Update type | Pre-PR | Post-PR | | - | - | - | | **patch** | manual review | **auto-merge if CI green** | | **pin** (rolling-tag → fixed-version pin) | manual | **auto-merge if CI green** | | **digest** (image digest pin refresh) | manual | **auto-merge if CI green** | | **lockFileMaintenance** (weekly transitive refresh) | manual | **auto-merge if CI green** | | **minor** | manual review (unchanged) | manual review | | **major** | dashboard approval (unchanged) | dashboard approval | `automergeStrategy: "squash"` matches our trunk-based squash-merge convention. `automergeType: "pr"` keeps the PR + CI run as the audit trail (vs branch-direct push), and Gitea auto-merges the PR once green via the bot's existing `repo:write` permission. ## Doc updates - `renovate.json` `dependencyDashboardHeader` — the "Open" row now reflects the new reality: mostly minors, with red patches surfacing briefly when CI fails. - `docs/development.md` §"Reviewing Renovate PRs" gains a bullet describing the auto-merge for contributors landing on the project later. ## Test plan - [ ] CI green on this PR. - [ ] After merge, the next patch-level Renovate run produces a PR that auto-squashes into `main` once CI clears (visible in the merged log; no human action required). - [ ] A patch with red CI stays open in "Open" with the `dependencies` label. - [ ] Minor / major Renovate PRs continue to require human merge. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #77 |
||
|
|
02ac44e498 |
feat(portal-bff): audit log foundation per ADR-0013 (#76)
## Summary Lays down the append-only audit log per ADR-0013: schema declaration, first migration with role grants, NestJS `AuditWriter` service. Typed event-family methods, the separate `AUDIT_DATABASE_URL` pool, the retention job, and the live-DB integration tests are explicitly listed as "wired as features land" in the ADR's confirmation block — they ship when the matching feature ADRs do. ## What lands **Prisma schema** ([`apps/portal-bff/prisma/schema.prisma`](apps/portal-bff/prisma/schema.prisma)): - `multiSchema` preview enabled; datasource declares `public` + `audit` schemas. - `AuditEvent` model: `id` (uuid), `createdAt`, `eventType` (free-form in v1), `audience` enum (`workforce | customer`), `actorIdHash`, `traceId`, `subject`, `outcome` enum (`success | failure | denied`), `payload` (jsonb). - Indexes on `createdAt`, `eventType`, `traceId` — covering the three obvious query shapes. **Migration** ([`prisma/migrations/*_init_audit_schema/migration.sql`](apps/portal-bff/prisma/migrations/20260510011453_init_audit_schema/migration.sql)): - Standard Prisma `CREATE TABLE` / enums output, then the **append-only contract** re-applied explicitly: - `ALTER TABLE/TYPE OWNER TO audit_owner`. - `GRANT INSERT` to `audit_writer`, `SELECT` to `audit_reader`, **`SELECT, DELETE`** to `audit_archiver` (SELECT is needed to evaluate the `created_at` predicate of "delete older than retention" — Postgres requires SELECT on every column referenced in DELETE's WHERE). - `GRANT USAGE` on the enum types to all three roles (without it `audit_writer.INSERT` fails with "permission denied for type"). - **No** GRANT for `UPDATE` / `TRUNCATE` to anyone — including `audit_owner` at runtime; only fresh schema migrations amend the table. **Service** ([`apps/portal-bff/src/audit/`](apps/portal-bff/src/audit/)): - `AuditWriter.recordEvent(input)` — single entry point. Wraps every INSERT in a transaction whose first statement is `SET LOCAL ROLE audit_writer`, so the role contract holds at runtime even from the otherwise-privileged BFF connection. - `traceId` auto-resolved from the active OTel span (so audit row joins with traces and Pino logs on the same `trace_id`). - `actorIdHash` auto-resolved from CLS (key `actorIdHash`) with explicit input-side override; `null` when neither is set (placeholder until ADR-0009 / ADR-0010 guards populate CLS). - Errors propagate (no catch-and-swallow), per ADR-0013's "blocking writes: no audit ⇒ no action". **Tests** — 8 unit tests on `AuditWriter` (mocked Prisma + CLS): role-locking ordering, input pass-through, `Prisma.JsonNull` for missing payload, CLS-vs-input precedence on `actorIdHash`, OTel trace capture, error propagation. ## End-to-end verification (manual, against local-dev Postgres) ``` INSERT under audit_writer: ok UPDATE under audit_writer: permission denied for table events DELETE under audit_writer: permission denied for table events DELETE under audit_archiver: ok, row removed (after the SELECT-grant fix) ``` ## ADR-0013 §Confirmation rewritten Two-block split: "wired in foundation PR" lists what landed here; "wired as features land" lists the typed event-family methods, AUDIT_DATABASE_URL connection split, startup self-test probe, retention purge job, salt-shared cross-correlation test, and live-DB role-contract integration tests — each anchored to the feature ADR that triggers it. ## Recovery for anyone with a pre-existing local-dev DB If your local-dev Postgres already had the audit migration applied **before** the SELECT-grant fix, the archiver's DELETE will fail. Two options: 1. Apply the missing grant directly: ```bash psql "$DATABASE_URL" -c "GRANT SELECT ON audit.events TO audit_archiver;" ``` 2. Or wipe the volume and re-migrate cleanly: ```bash ./infra/local/dev.sh down -v ./infra/local/dev.sh up pnpm --filter @apf-portal/source exec prisma migrate deploy # or `cd apps/portal-bff && pnpm exec prisma migrate deploy` ``` Fresh DBs land with the corrected migration directly. ## Out of scope (separate PRs) - Typed event-family methods (`signIn`, `signInFailed`, …) — added per matching feature ADR. - `AUDIT_DATABASE_URL` separate connection pool — defense-in-depth, when production needs it. - Startup self-test probe (deliberate failing UPDATE asserting rejection) — lands with the connection split. - Retention purge job (`audit_archiver` daily cron) — phase-3b infra. - Live-DB integration tests asserting the role contract — Testcontainers-style harness, separate PR. ## Test plan - [ ] CI green on this PR. - [ ] `prisma migrate deploy` succeeds on a fresh DB (the recovery instructions cover the SELECT-grant gap for already-migrated dev DBs). - [ ] `psql -c "\dp audit.events"` shows the expected privilege matrix: `audit_owner=arwdDxtm/audit_owner`, `audit_writer=a/audit_owner`, `audit_reader=r/audit_owner`, `audit_archiver=rd/audit_owner`. - [ ] BFF boots; calling `AuditWriter.recordEvent` from a controller (manual smoke once a real flow lands) writes to `audit.events` with the expected `trace_id` matching the request's Jaeger span. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #76 |
||
|
|
e2dd2e4dd8 |
fix(portal-shell): use .postcssrc.json so tailwind utilities are emitted (#75)
## Summary The portal-shell scaffold shipped a `postcss.config.js`, but `@angular/build` (Angular 17+ esbuild pipeline) does **not** load that file format — it only reads `.postcssrc.json`. Result: the `@tailwindcss/postcss` plugin was never registered, Tailwind ran with no source files visible, generated only its `@theme` block, and dropped every utility class on the floor. The page therefore rendered unstyled — black text on white — even though `nx build` reported success and shipped a 23 KB `styles*.css`. Rename / re-encode the config to `.postcssrc.json`. Same plugin, same options, just the file format Angular's esbuild adapter actually reads. ## Verification | | Before | After | | - | - | - | | Class selectors in `dist/apps/portal-shell/browser/styles*.css` | **0** | **75** (production) | | `.text-3xl`, `.bg-amber-50`, `.font-semibold` etc. emitted | ❌ | ✓ | | Pages render with intended Tailwind layout | ❌ | ✓ | ```bash pnpm exec nx build portal-shell --configuration=production grep -oE '\.[a-zA-Z][a-zA-Z0-9_-]*' dist/apps/portal-shell/browser/styles*.css | sort -u | wc -l # 75 ``` ## Doc update `docs/development.md` repo-layout walkthrough now reads `.postcssrc.json` and explicitly calls out that `postcss.config.js` is ignored by `@angular/build` — so a future contributor reaching for the legacy filename gets a hint instead of a silent failure. ## Test plan - [ ] CI green on this PR. - [ ] Local: bring up the SPA dev server, `localhost:4200` shows the styled layout — header bar with brand link, system-status widget with rounded card, footer with the two language links. - [ ] Production build: `nx build portal-shell --configuration=production` succeeds; `dist/.../styles*.css` contains tens of utility-class selectors (not just `@theme` tokens). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #75 |
||
|
|
0d31937aeb |
feat(portal-shell): replace nx-welcome with real shell and home + budgets per ADR-0017 (#74)
## Summary Cuts the Nx scaffold's `NxWelcome` page (938 LOC of placeholder markup) and lays down the actual portal layout — header, main, footer landmarks plus a skip link — with a real home page and the two RGAA-mandated accessibility statement routes. Bundle budgets in `project.json` are tightened to match ADR-0017. ## What lands **Layout shell** (`apps/portal-shell/src/app/`): - `components/header/` — brand link + primary nav landmark stub - `components/footer/` — accessibility statement links (FR + EN) + version badge - `app.html` / `app.scss` — flex column with sticky footer + skip link to `#main-content` (WCAG 2.4.1) **Pages**: - `pages/home/` — welcome heading + "system status" widget that fetches `/api/health` from the BFF. Doubles as a smoke test of the full SPA → BFF stack: CORS, OTel trace propagation, Pino log correlation. After page load, http://localhost:16686 should show one trace whose root span is the SPA `document_load`, with a child `fetch` span that has its own child `HTTP GET /api/health` BFF span. - `pages/accessibility/` — single component, content selected by route data (`lang: 'fr' | 'en'`). Mounted at `/accessibility` (en) and `/accessibilite` (fr). v1 carries placeholder copy explicitly framed as "awaiting APF user panel review" — RGAA + ADR-0016 require the routes to exist; the substantive statement (audit grid, gaps list, remediation plan) lands separately. **Routing & wiring**: - `app.routes.ts` adds the three routes, all lazy-loaded. - `app.config.ts` adds `provideHttpClient(withFetch())` so HttpClient delegates to the patched browser `fetch` and the W3C `traceparent` header propagates automatically (per ADR-0012 phase 2). - `nx-welcome.ts` removed; `app.ts` no longer imports it. **Bundle budgets** (`apps/portal-shell/project.json`): | Type | Limit (raw) | ADR-0017 (gzip) | | ------------------- | ------------ | --------------- | | `initial` | 1 MB | ≤ 300 KB | | `anyScript` | 300 KB | ≤ 100 KB / chunk | | `anyComponentStyle` | 6 KB | ≤ 6 KB | | `bundle "styles"` | 150 KB | ≤ 150 KB | `maximumWarning == maximumError` so an overshoot fails the build (matching `type: "error"` in spirit). Angular CLI compares **raw** sizes; ADR-0017 §Confirmation is updated to record the gzip→raw translation and the deferred follow-up that will add a CI check on the actual gzipped transfer size (Angular has no native gzip-mode budget). ## Verified locally - `pnpm exec nx run-many -t lint test build` → 8 projects green; **12 tests pass** for `portal-shell` across 5 specs (App, Header, Footer, Home, AccessibilityStatement). - `pnpm nx build portal-shell --configuration=production` → initial bundle **326.99 KB raw / 89.82 KB transfer** (gzip) — well under the ADR-0017 300 KB gzip target. Lazy chunks: home 2.66 KB, accessibility 2.90 KB. - `pnpm audit` clean. After `./infra/local/dev.sh up observability` + `pnpm nx serve portal-bff` + `pnpm nx serve portal-shell`, opening http://localhost:4200 shows the new layout, the system-status widget connects to the BFF, and the corresponding trace appears in Jaeger. ## Out of scope (separate PRs) - **Real RGAA audit content** — APF user-panel review. - **Design tokens system** in `libs/shared/tokens`. - **Reusable UI primitives** in `libs/shared/ui`. - **User-preferences panel** (ADR-0016 §"User-preferences panel"). - **i18n machinery** (`@angular/localize`) — for v1 the FR/EN copy is inlined and route-driven; real i18n is a separate ADR. - **Env-config** (Angular `environment.ts`) — the hard-coded `http://localhost:3000/api/health` will move there alongside the OTLP endpoint when the env-config PR lands. - **CI gzip-transfer-size assertion** to complement the raw-size Angular budgets. ## Test plan - [ ] CI green on this PR. - [ ] Local: home page renders, system-status widget transitions from "Checking the backend…" to the success state when the BFF is up; falls back to "Backend unreachable" with the BFF stopped. - [ ] `/accessibility` and `/accessibilite` render the matching language with `<article lang="en|fr">`. - [ ] Skip link reachable via Tab from address bar; clicking it focuses `#main-content`. - [ ] Production build size summary roughly matches the figures above (initial total ≈ 90 KB transfer). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #74 |
||
|
|
288610b9ba |
docs(development): add observability dev-loop section (#73)
## Summary ADR-0012 phase 1 + phase 2 are wired (BFF + SPA), so the "Observability dev-loop" placeholder in the roadmap table now has real content to point at. Promote it from §9 future-work list to a full §5 walkthrough sitting between "Daily commands" and "Dependency updates". ## What §5 covers - **Bringing up the observability stack** — `./infra/local/dev.sh up observability`, with the endpoint table (Jaeger UI, OTLP receiver, BFF stdout, browser DevTools). - **Reading a trace in Jaeger** — service-dropdown filter, span attribute keys to look at (`http.method`, `db.statement`, `service.name`, `trace_id`), the trace-id-as-pivot pattern. - **Correlating a trace with the BFF Pino logs** via `trace_id` and `request_id` (the per-request UUID `nestjs-cls` provides). Concrete `grep` example. - **Reading SPA spans from the browser** — DevTools Network filter on `localhost:4318/v1/traces` + Jaeger UI cross-check. - **Common gotchas** — observability profile not active, CORS pre-flight on `/v1/traces`, `propagateTraceHeaderCorsUrls` mismatches, NODE_ENV mis-set, EADDRINUSE on serve restart. - **What's not in v1** — pointer at the "wired as features land" deltas (CLS keys for session/user/audience, redact list, custom domain spans, prod backend) so a contributor knows what's intentionally not yet there. ## Renumbering The new §5 pushes existing sections down. Final structure: 1. Repo layout / 2. Prerequisites / 3. Initial setup / 4. Daily commands / 5. **Observability dev-loop** / 6. Dependency updates (Renovate) / 7. Conventional commit cycle / 8. Where to look / 9. Roadmap. The "Observability dev-loop" line in §9's roadmap table is removed (now implemented). `docs/README.md` cross-link updated to mention the new section. ## Test plan - [ ] CI green on this PR (`format:check`). - [ ] In a fresh checkout, follow §5's "Bring up the observability stack" verbatim, reach the Jaeger UI, then walk a trace through the `grep` correlation example with a synthetic request — flag any step that's wrong / missing on this real-world rehearsal. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #73 |
||
|
|
8f2cd4e068 |
feat(portal-shell): wire spa-side opentelemetry tracing (#72)
## Summary Phase 2 of ADR-0012 — closes the loop SPA → BFF → DB. After this PR, a single user action (initial page load, click, form submit) produces one trace whose root span is owned by the SPA and whose child spans cover the BFF request, Postgres queries through Prisma, and (eventually) Redis / downstream-API hops. ## What lands **Browser-side OTel libs** (production deps): - `@opentelemetry/sdk-trace-web` — browser tracer + provider - `@opentelemetry/exporter-trace-otlp-http` — OTLP/HTTP+JSON exporter - `@opentelemetry/instrumentation` — auto-instrumentation runtime - `@opentelemetry/instrumentation-fetch` — `fetch` + W3C `traceparent` propagation - `@opentelemetry/instrumentation-document-load` — initial-paint timings - `@opentelemetry/instrumentation-user-interaction` — click / keypress / submit No `@opentelemetry/context-zone`: the workspace is zoneless per ADR-0004; the default `StackContextManager` covers the auto-instrumented paths. Custom spans across `await` will need explicit `context.with(...)` plumbing — fine, encountered as code lands. **Code**: - [`apps/portal-shell/src/observability/tracing.ts`](apps/portal-shell/src/observability/tracing.ts) — `WebTracerProvider` bootstrap. Documents the load-order constraint inline (same pattern as the BFF: must be the very first import of `main.ts`, otherwise auto-instrumentations miss everything imported above). - `apps/portal-shell/src/main.ts` now imports the tracing module as line 1. **CORS plumbing** for end-to-end trace propagation: - BFF (`apps/portal-bff/src/main.ts`) calls `enableCors` with a minimal dev allowlist (`http://localhost:4200`) and explicit permission for the W3C `traceparent` / `tracestate` headers. The full security-grade CORS (per-environment allowlists, helmet, cookie-session, CSRF) belongs to the future phase-2 security ADR — this PR adds the strict minimum for the SPA→BFF trace context to survive cross-origin pre-flight. - OTel Collector (`infra/local/otel-collector.yaml`) gains a `cors` block on its OTLP/HTTP receiver so the browser's own OTLP POST clears its pre-flight. **ADR-0012 §Confirmation** rewritten: a new "Wired in the SPA foundation PR (phase 2)" block enumerates what landed here; the carry-over "Wired as features land" list drops the SPA-side SDK item and adds a follow-up note about the security-grade CORS. ## Verification ```bash pnpm exec nx run-many -t lint test build # 8 projects green pnpm audit # 0 vulns ./infra/local/dev.sh up observability # bring up Collector + Jaeger ./infra/local/dev.sh # (separately, BFF stack — your choice) pnpm nx serve portal-bff # localhost:3000 pnpm nx serve portal-shell # localhost:4200 ``` Open http://localhost:4200 → a `document_load` trace appears in http://localhost:16686 with `service.name=portal-shell`. From DevTools, run `fetch('http://localhost:3000/api/health').then(r => r.json())` → a fetch span appears with a child BFF span on the same trace. ## Test plan - [ ] CI green on this PR. - [ ] After local up, `document_load` span visible in Jaeger UI for the SPA. - [ ] Cross-origin fetch from SPA carries `traceparent` (visible in Network tab) and produces a single end-to-end trace SPA → BFF in Jaeger. - [ ] DevTools console shows no CORS warnings about `traceparent`, `tracestate`, or the `localhost:4318/v1/traces` POST. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #72 |
||
|
|
c3c15585ff |
style(portal-bff): apply prettier to check-database-url.ts (#71)
## Summary Cosmetic-only follow-up to #70. Collapses one over-cautious multi-line `throw new Error(...)` into a single line that fits within the project's 100-char `printWidth`. The reformat was produced by lint-staged **during** the amend that landed #70, but applied to the working tree only — the modification never made it back into the staged content of the amend. The merged commit therefore carries the un-prettified version. Spotted locally with `pnpm exec prettier --check apps/portal-bff/src/config/check-database-url.ts` failing. Left unchecked, the next PR's `check` job would break at `format:check` for unrelated reasons. ## Test plan - [ ] CI green on this PR (`format:check` clean). - [ ] No behavioural change — only whitespace. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #71 |
||
|
|
b74d3f1b9b |
feat(portal-bff): observability foundations (Pino + CLS + OTel) (#70)
## Summary
Implements ADR-0012 phase 1, BFF side. The SPA wiring is a separate phase-2 PR.
The BFF now emits structured JSON logs to stdout, tagged with `trace_id` / `span_id` from the active OTel context, and exports OTLP traces over HTTP/Protobuf to the Collector that already runs in the local-dev compose. Anything Nest, Express, HTTP-out, Prisma (Postgres) or `ioredis` does is auto-spanned. A `GET /api/health` liveness endpoint is added to round things out.
## What lands
**Runtime libs added** (production deps):
- `nestjs-pino`, `pino`, `pino-http` — structured logging
- `nestjs-cls` — request-scoped context
- `@opentelemetry/api` / `sdk-node` / `resources` / `semantic-conventions`
- `@opentelemetry/exporter-trace-otlp-proto` (HTTP/Protobuf, port 4318)
- `@opentelemetry/instrumentation-{http,express,nestjs-core,pg,ioredis,pino}` — curated, **no** `auto-instrumentations-node` mass-import (anti-bricolage)
Dev: `pino-pretty` (gated by `NODE_ENV`).
**Code:**
- `apps/portal-bff/src/observability/tracing.ts` — OTel `NodeSDK` bootstrap. Documents the load-order constraint inline (must be the very first import of `main.ts`). Pure side-effect module.
- `apps/portal-bff/src/observability/observability.module.ts` — composes `ClsModule` (UUID per request stored as `request_id`) and `LoggerModule` (`pino-pretty` in dev, raw JSON in prod, `LOG_LEVEL` env-driven, `/health` excluded from auto-logging, `X-Request-Id` honoured if inbound).
- `apps/portal-bff/src/health/{health.controller,health.module,health.controller.spec}.ts` — `GET /api/health` returning `{status, uptimeSeconds, service, version}`. Cheap liveness only — `/readiness` lands when dependencies have a readiness story.
- `apps/portal-bff/src/config/check-database-url.{ts,spec.ts}` — fail-fast validator called from `main.ts` before NestFactory boots. Catches the same family of bug that bit pgweb in #63: a literal special character in `POSTGRES_PASSWORD` that needs URL-encoding in `DATABASE_URL`. Prisma requires a URL string (no discrete-flag escape hatch), so early validation + a clear error message is the v1 mitigation. Six unit tests cover happy path, missing URL, wrong scheme, encoded special chars, literal `@` in password, malformed URL.
**Wiring:**
- `main.ts` imports `./observability/tracing` as line 1, then uses `app.get(Logger)` from `nestjs-pino` with `bufferLogs: true` so early-bootstrap lines are not lost.
- `app.module.ts` imports `ObservabilityModule` first, then `PrismaModule`, then `HealthModule`.
- `apps/portal-bff/.env.example` promotes `LOG_LEVEL`, `OTEL_SERVICE_NAME`, `OTEL_SERVICE_VERSION`, `OTEL_EXPORTER_OTLP_ENDPOINT`, `OTEL_EXPORTER_OTLP_PROTOCOL`, `OTEL_TRACES_SAMPLER` from the "future" comment to active settings — defaults target the local-dev Collector.
- Both `apps/portal-bff/.env.example` and `infra/local/.env.example` now spell out the URL-encoding constraint on `POSTGRES_PASSWORD` with the char-by-char encoding table (`@` → `%40`, etc.).
**ADR-0012 §Confirmation** rewritten to distinguish what landed in this PR from what is wired as the corresponding feature ADRs ship (CLS keys for `session_id` / `user_id_hash` / `audience`, `LOG_USER_ID_SALT` enforcement, redact list, custom spans, SPA-side SDK, full integration tests, prod Collector config).
## Trace ↔ log correlation
Automatic via `@opentelemetry/instrumentation-pino` — every Pino record gets `trace_id` and `span_id` injected from the active OTel context. No CLS gymnastics needed for that concern.
## Verification
```bash
pnpm exec nx run-many -t lint test build # 8 projects green
pnpm audit --audit-level=moderate # 0 vulnerabilities
./infra/local/dev.sh up observability # start Collector + Jaeger
cp apps/portal-bff/.env.example apps/portal-bff/.env
pnpm nx serve portal-bff
curl http://localhost:3000/api/health
# → {"status":"ok","uptimeSeconds":N,"service":"portal-bff","version":"dev"}
```
Then hit `GET http://localhost:3000/api` once or twice and open http://localhost:16686 — the corresponding spans appear in Jaeger, and Pino logs on stdout carry the matching `trace_id`.
## Test plan
- [ ] `nx run-many -t lint test build` green on this PR's CI run.
- [ ] `pnpm audit` clean.
- [ ] BFF boots, `/api/health` returns the expected JSON.
- [ ] Pino logs in dev are colourised one-liners; in prod they would be raw JSON (toggled by `NODE_ENV=production`).
- [ ] With the local-dev stack's `--profile observability` active, traces are visible in Jaeger UI.
- [ ] Each Pino log line for a request carries the same `trace_id` as the trace span in Jaeger.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #70
|
||
|
|
80e35c6aab |
chore(deps): update dependency lint-staged to v17.0.4 (#69)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [lint-staged](https://github.com/lint-staged/lint-staged) | devDependencies | patch | [`17.0.3` -> `17.0.4`](https://renovatebot.com/diffs/npm/lint-staged/17.0.3/17.0.4) | --- ### Release Notes <details> <summary>lint-staged/lint-staged (lint-staged)</summary> ### [`v17.0.4`](https://github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#1704) [Compare Source](https://github.com/lint-staged/lint-staged/compare/v17.0.3...v17.0.4) ##### Patch Changes - [#​1788](https://github.com/lint-staged/lint-staged/pull/1788) [`f95c1f8`](https://github.com/lint-staged/lint-staged/commit/f95c1f8df3368758c44c2052e568aac1b3d4c767) - Another fix for making sure *lint-staged* adds task modifications correctly to the commit in the following cases: - after editing `<file>` it is staged with `git add <file>`, and then committed with `git commit` - after editing `<file>` it is committed with `git commit --all` without explicit `git add` - after editing `<file>` it is committed with `git commit <pathspec>` without explicit `git add` There's new test cases which actually setup the Git `pre_commit` hook to run *lint-staged* and verify them. These issues started in **v17.0.0** when trying to improve support for committig without having explicitly staged files. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #69 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
fc9b63f24a |
feat(infra): add dev.sh wrapper for the local-dev compose stack (#68)
## Summary Two recurring frictions on the local-dev stack: 1. **Compose-profile asymmetry** — `docker compose down` only operates on services whose profile is currently active. Anything brought up with `--profile X` keeps running unless the same flag is passed on `down`. pgweb and Jaeger silently survived several `down -v` invocations before we noticed (#67 documented the gotcha; this PR makes it impossible to hit if you use the wrapper). 2. **Verbose invocations** — typing `docker compose -f infra/local/dev.compose.yml --profile … <verb>` for routine ops gets old fast. Add [`infra/local/dev.sh`](infra/local/dev.sh) as a thin wrapper. Always passes every profile in scope on teardown / status / log commands, exposes ergonomic verbs: | Command | Effect | | --------------------------------------------- | --------------------------------------------------------------- | | `./infra/local/dev.sh up` | Core only (postgres + redis + otel-collector) | | `./infra/local/dev.sh up all` | Core + every profile | | `./infra/local/dev.sh up dbtools` | Core + pgweb | | `./infra/local/dev.sh up observability` | Core + Jaeger | | `./infra/local/dev.sh down [-v]` | Tear down (every profile in scope, no orphaned services) | | `./infra/local/dev.sh stop <service>` | Stop one service (containers stay around) | | `./infra/local/dev.sh restart <service>` | Restart one service | | `./infra/local/dev.sh status` | `ps` with every profile visible | | `./infra/local/dev.sh logs [service]` | Follow logs | | `./infra/local/dev.sh exec <service> <cmd>` | Run a command inside a container | Anything not matching one of the named verbs is passed through to `docker compose -f dev.compose.yml ...` (with every profile flagged in), so the full Compose surface remains available. ## Doc updates - **`infra/README.md`** — new "Convenience script" subsection with the cheat-sheet table; "First-time setup" rewritten to use the script; the standalone "Profile symmetry" tip from #67 is collapsed into a one-liner since the script now handles it (the note remains as a fallback for direct `docker compose` users). - **`docs/development.md` §3** — points at the script for the typical setup flow. The compose file itself is unchanged. ## Test plan - [ ] `./infra/local/dev.sh help` prints the usage block. - [ ] `./infra/local/dev.sh up` brings up the 3 core services (no pgweb / no jaeger). - [ ] `./infra/local/dev.sh up all` adds pgweb and Jaeger. - [ ] `./infra/local/dev.sh down -v` stops and removes all 5 containers (incl. pgweb and Jaeger), wipes the postgres-data and redis-data volumes. - [ ] `./infra/local/dev.sh stop pgweb` stops just pgweb. - [ ] `./infra/local/dev.sh logs otel-collector` follows that service's logs. - [ ] `./infra/local/dev.sh exec postgres psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "\du"` lists the audit roles. - [ ] `./infra/local/dev.sh stop` (no arg) errors with a clear message. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #68 |
||
|
|
4d2d4d652a |
docs(infra): document Compose profile + down/up symmetry gotcha (#67)
## Summary `docker compose -f infra/local/dev.compose.yml down -v` left pgweb and Jaeger running, with no error and no obvious diagnostic — they kept eating memory until the next reboot. Reason: Compose only operates on services whose profile is currently active. Bringing them up with `--profile dbtools` / `--profile observability` requires the same flag(s) on `down`, otherwise they're invisible to that command. Document the gotcha in `infra/README.md` "Local-dev stack" → "Operational tips", with the two pragmatic resolutions: 1. Pass the same flags on each command (most explicit). 2. Set `COMPOSE_PROFILES=dbtools,observability` once in the shell or `infra/local/.env`, and let it propagate to every `up` / `down` / `ps` invocation. ## Test plan - [ ] Bring up the full stack: `docker compose -f infra/local/dev.compose.yml --profile dbtools --profile observability up -d`. - [ ] `docker compose -f infra/local/dev.compose.yml down -v` (no flags) — confirms pgweb + jaeger keep running. - [ ] Run the documented "complete" command — confirms everything is gone. - [ ] Repeat with `COMPOSE_PROFILES` set; same outcome. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #67 |
||
|
|
b2d7fe3fd7 |
chore(deps): update dependency jest to v30.4.2 (#65)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jest](https://jestjs.io/) ([source](https://github.com/jestjs/jest/tree/HEAD/packages/jest)) | devDependencies | patch | [`30.4.1` -> `30.4.2`](https://renovatebot.com/diffs/npm/jest/30.4.1/30.4.2) | --- ### Release Notes <details> <summary>jestjs/jest (jest)</summary> ### [`v30.4.2`](https://github.com/jestjs/jest/blob/HEAD/CHANGELOG.md#3042) [Compare Source](https://github.com/jestjs/jest/compare/v30.4.1...v30.4.2) ##### Fixes - `[jest-runtime]` Fix named imports from CJS modules whose `module.exports` is a function with own-property exports ([#​16150](https://github.com/jestjs/jest/pull/16150)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #65 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
3fbb1f92a8 |
chore(deps): update tailwind css to v4.3.0 (#66)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@tailwindcss/postcss](https://tailwindcss.com) ([source](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss)) | devDependencies | minor | [`4.2.4` -> `4.3.0`](https://renovatebot.com/diffs/npm/@tailwindcss%2fpostcss/4.2.4/4.3.0) | | [tailwindcss](https://tailwindcss.com) ([source](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss)) | devDependencies | minor | [`4.2.4` -> `4.3.0`](https://renovatebot.com/diffs/npm/tailwindcss/4.2.4/4.3.0) | --- ### Release Notes <details> <summary>tailwindlabs/tailwindcss (@​tailwindcss/postcss)</summary> ### [`v4.3.0`](https://github.com/tailwindlabs/tailwindcss/blob/HEAD/CHANGELOG.md#430---2026-05-08) [Compare Source](https://github.com/tailwindlabs/tailwindcss/compare/v4.2.4...v4.3.0) ##### Added - Add `@container-size` utility ([#​18901](https://github.com/tailwindlabs/tailwindcss/pull/18901)) - Add `scrollbar-{auto,thin,none}` utilities for `scrollbar-width`, and `scrollbar-thumb-*` / `scrollbar-track-*` color utilities for `scrollbar-color` ([#​19981](https://github.com/tailwindlabs/tailwindcss/pull/19981), [#​20019](https://github.com/tailwindlabs/tailwindcss/pull/20019)) - Add `scrollbar-gutter-*` utilities ([#​20018](https://github.com/tailwindlabs/tailwindcss/pull/20018)) - Add `zoom-*` utilities ([#​20020](https://github.com/tailwindlabs/tailwindcss/pull/20020)) - Add `tab-*` utilities ([#​20022](https://github.com/tailwindlabs/tailwindcss/pull/20022)) - Allow using `@variant` with stacked variants (e.g. `@variant hover:focus { … }`) ([#​19996](https://github.com/tailwindlabs/tailwindcss/pull/19996)) - Allow using `@variant` with compound variants (e.g. `@variant hover, focus { … }`) ([#​19996](https://github.com/tailwindlabs/tailwindcss/pull/19996)) - Support `--default(…)` in `--value(…)` and `--modifier(…)` for functional `@utility` definitions ([#​19989](https://github.com/tailwindlabs/tailwindcss/pull/19989)) ##### Fixed - Ensure `@plugin` resolves package JavaScript entries instead of browser CSS entries when using `@tailwindcss/vite` ([#​19949](https://github.com/tailwindlabs/tailwindcss/pull/19949)) - Fix relative `@import` and `@plugin` paths resolving from the wrong directory when using `@tailwindcss/vite` ([#​19965](https://github.com/tailwindlabs/tailwindcss/pull/19965)) - Ensure CSS files containing `@variant` are processed by `@tailwindcss/vite` ([#​19966](https://github.com/tailwindlabs/tailwindcss/pull/19966)) - Resolve imports relative to `base` when `result.opts.from` is not provided when using `@tailwindcss/postcss` ([#​19980](https://github.com/tailwindlabs/tailwindcss/pull/19980)) - Canonicalization: preserve significant `_` whitespace in arbitrary values ([#​19986](https://github.com/tailwindlabs/tailwindcss/pull/19986)) - Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. `w-[calc(100%---spacing(60))]` → `w-[calc(100%-(--spacing(60)))]`) ([#​19986](https://github.com/tailwindlabs/tailwindcss/pull/19986)) - Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. `-mt-[20in]` → `mt-[-20in]`, not `mt-[-1920px]`) ([#​19988](https://github.com/tailwindlabs/tailwindcss/pull/19988)) - Canonicalization: migrate arbitrary `:has()` variants from `[&:has(…)]` to `has-[…]` ([#​19991](https://github.com/tailwindlabs/tailwindcss/pull/19991)) - Upgrade: don’t migrate inline `style` attributes (e.g. `style="flex-grow: 1"` → `style="flex-grow: 1"`, not `style="grow: 1"`) ([#​19918](https://github.com/tailwindlabs/tailwindcss/pull/19918)) - Allow multiple `@utility` definitions with the same name but different value types ([#​19777](https://github.com/tailwindlabs/tailwindcss/pull/19777)) - Export missing `PluginWithConfig` type from `tailwindcss/plugin` to fix errors when inferring plugin config types ([#​19707](https://github.com/tailwindlabs/tailwindcss/pull/19707)) - Ensure `start` and `end` legacy utilities without values do not generate CSS ([#​20003](https://github.com/tailwindlabs/tailwindcss/pull/20003)) - Ensure `--value(…)` is required in functional `@utility` definitions ([#​20005](https://github.com/tailwindlabs/tailwindcss/pull/20005)) - Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. `-left-[(var(--a)+var(--b))]`) ([#​20011](https://github.com/tailwindlabs/tailwindcss/pull/20011)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #66 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
a893f8e06b |
chore(infra): migrate Jaeger to v2 for built-in dark theme (#64)
## Summary Jaeger v1's web UI has no theme selector — it ships light-only. v2 (the OTel-Collector-based rewrite, image `jaegertracing/jaeger`, distinct from v1's `jaegertracing/all-in-one`) ships a **Light / Dark / Auto** switcher in the UI nav. v2 is also the actively-developed line; v1 is on the way out within ~6-12 months. Migration is mechanical: - Image: `jaegertracing/all-in-one:1.76.0` → `jaegertracing/jaeger:2.17.0`. - Drop `COLLECTOR_OTLP_ENABLED: 'true'` env — v2 enables OTLP receivers by default. - UI port (`16686`) and OTLP ports (`4317` / `4318`) are unchanged, so the collector → `jaeger:4317` forwarding pipeline keeps working without touching `otel-collector.yaml`. ## Test plan - [ ] After merge: `docker compose -f infra/local/dev.compose.yml --profile observability up -d --force-recreate jaeger` → container stays healthy. - [ ] http://localhost:16686 loads the v2 UI; nav shows the Light/Dark/Auto switcher. - [ ] Send a synthetic OTLP trace to `localhost:4317` (e.g., via grpcurl or once the BFF is wired in B) → it appears in the Jaeger UI. - [ ] OTel Collector logs no longer warn abou --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #64 |
||
|
|
171f21b99b |
fix(infra): pass pgweb credentials via discrete CLI flags (#63)
## Summary `PGWEB_DATABASE_URL` (post-#62 rename) still fails at boot: ``` Error: Invalid URL. Valid format: postgres://user:password@host:port/db?sslmode=mode ``` Root cause: the userinfo portion of a Postgres URL must be URL-encoded — any `@`, `#`, `:`, `/`, `?`, `%`, `&`, `=`, `+`, `;` etc. in the password breaks the parser. Compose has no built-in URL encoding, so the URL we construct in YAML is fragile by design and depends on the developer happening to pick a URL-safe password. Switch to pgweb's discrete CLI flags (`--host`, `--port`, `--user`, `--pass`, `--db`, `--ssl`). Compose interpolates each value literally — no URL encoding required, any password works. The image's ENTRYPOINT already passes `--bind=0.0.0.0 --listen=8081`; our args are appended to those. ## Side benefit A missing password now yields an explicit Compose error (`POSTGRES_PASSWORD must be set in infra/local/.env`) rather than an opaque pgweb crash with a vague "Invalid URL" message. ## Test plan - [ ] After merge: `docker compose -f infra/local/dev.compose.yml --profile dbtools up -d` → pgweb stays up (no `Restarting (1)` loop). - [ ] http://localhost:8081 loads pgweb's UI; you can navigate to the `audit` schema. - [ ] Confirm with a password that contains a special char (e.g., `dev@pass#2026!`) — should still work. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #63 |
||
|
|
10f8565957 |
fix(infra): rename pgweb DATABASE_URL to PGWEB_DATABASE_URL (#62)
## Summary pgweb 0.16 deprecated `DATABASE_URL` in favour of `PGWEB_DATABASE_URL`. With the old name, the container starts up, emits a `[DEPRECATION]` warning, then crashes: ``` [DEPRECATION] Usage of DATABASE_URL env var is deprecated, please use PGWEB_DATABASE_URL variable instead Pgweb v0.16.2 ... Error: Invalid URL. Valid format: postgres://user:password@host:port/db?sslmode=mode ``` — because the new code path reads `PGWEB_DATABASE_URL` (empty) and the URL parser rejects an empty string. Rename the env key in the compose file. Same value, just the new name. ## Test plan - [ ] After merge: `docker compose -f infra/local/dev.compose.yml --profile dbtools up -d` → pgweb stays running (not in `Restarting` loop). - [ ] http://localhost:8081 loads pgweb's UI; click through to the `audit` schema and the four `audit_*` roles to confirm DB connection. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #62 |
||
|
|
a93b1067e6 |
docs(setup): add psql and redis-cli to prerequisites (#61)
## Summary Verifying the local-dev stack from the host (`docker compose up -d` + `psql ... -c "\du"` / `redis-cli PING`) requires the postgres and redis client binaries on the developer's machine. They were missing from the prereqs table, so `apt install postgresql-client` / `apt install redis-tools` was an implicit step nobody knew to run. Add both to §2's table, with one-line rationale for each. The Docker row is also tightened to point at the actual local-dev stack location ([`infra/local/`](infra/local/)) instead of the placeholder "Postgres + Redis containers" wording from before that recipe existed. `docker compose exec` remains a viable zero-install alternative for developers who prefer not to touch their host. Mentioned only informally — the host-install path is the documented one. ## Test plan - [ ] Fresh-clone a checkout, follow §2 + §3 verbatim, end with a working stack and successful `psql ... -c "\du"` against it. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #61 |
||
|
|
6137486d64 |
fix(infra): grant audit roles to current_user, not hardcoded portal (#60)
## Summary
The bootstrap SQL ended with:
```sql
GRANT audit_owner, audit_writer, audit_reader, audit_archiver TO portal;
```
— hard-coded `portal`. The compose file and `.env.example` both document `POSTGRES_USER` as overridable; any contributor who changed it hit:
```
ERROR: role "portal" does not exist
psql: /docker-entrypoint-initdb.d/01-init.sql:48: ERROR: role "portal" does not exist
```
Replace with `current_user`, which resolves at execution time to whoever is running the init SQL — i.e. the superuser Postgres just created from `POSTGRES_USER`, whatever its name.
## Recovery for anyone hit by the bug
The half-failed init left the postgres-data volume in a partially-initialised state. To reset:
```bash
cd infra/local
docker compose -f dev.compose.yml down -v # wipes the volume
docker compose -f dev.compose.yml up -d # bootstrap re-runs cleanly
```
## Test plan
- [ ] After merge + recovery: `docker compose ps` shows postgres healthy.
- [ ] `psql postgres://<user>:<pwd>@localhost:5432/portal_dev -c "\du"` lists the four `audit_*` roles, and your superuser is "Member of: {audit_owner, audit_writer, audit_reader, audit_archiver}".
- [ ] `psql ... -c "\dn"` shows the `audit` schema.
- [ ] Test with a non-default `POSTGRES_USER` value (set `POSTGRES_USER=apf_portal` in `.env`, wipe volume, re-up) — init still succeeds.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #60
|
||
|
|
d5c5c45175 |
fix(infra): correct OTel collector image tag (#59)
## Summary `otel/opentelemetry-collector-contrib:0.115.0` doesn't exist — release 0.115 was published as `0.115.1` only. Same memory-not-Docker-Hub mistake as Jaeger in #58. ``` Error response from daemon: failed to resolve reference "docker.io/otel/opentelemetry-collector-contrib:0.115.0": not found ``` Pin to `0.150.1` (latest stable). The collector's stable-feature backward-compat covers our `otel-collector.yaml` (otlp receiver, batch processor, debug exporter, otlp/jaeger exporter) — no config change needed. Postgres `17.2-alpine`, Redis `7.4-alpine`, pgweb `0.16.2` were verified against Docker Hub at the same time; they're all correct. ## Test plan - [ ] `cd infra/local && docker compose -f dev.compose.yml up -d` — all 3 core services pull and start healthy. - [ ] `--profile observability up -d` adds Jaeger 1.76.0 (after #58). - [ ] `--profile dbtools up -d` adds pgweb 0.16.2. - [ ] `docker compose ps` shows everything healthy. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #59 |
||
|
|
f0372adaae |
fix(infra): correct Jaeger image tag (#58)
## Summary `jaegertracing/all-in-one:1.62` doesn't exist on Docker Hub — I picked it from memory in #57 without verification. Jaeger 1.x publishes only full-semver tags (1.X.Y), not rolling minor (`1.X`) tags. Activating `--profile observability` errored at image-pull time: ``` Error response from daemon: failed to resolve reference "docker.io/jaegertracing/all-in-one:1.62": not found ``` Pin to `1.76.0` (latest stable in the 1.x line, verified against Docker Hub). ## Test plan - [ ] `cd infra/local && docker compose -f dev.compose.yml --profile observability up -d` → all images pull, all services healthy. - [ ] http://localhost:16686 → Jaeger UI loads (empty until the BFF starts emitting traces, which lands in the upcoming **B — Observability foundations** PR). - [ ] Renovate's docker-compose manager picks up future Jaeger 1.x bumps and surfaces them as PRs. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #58 |
||
|
|
0f00d6d93f |
feat(infra): add local-dev Docker Compose stack (#57)
## Summary Bring up Postgres + Redis + OTel Collector in one command so contributors can run the BFF end-to-end without manually wiring each service. Replaces the throwaway `docker run postgres:17-alpine` one-liner that was in `docs/development.md` §3. ### What lands - **`infra/local/dev.compose.yml`** — three core services (`postgres:17.2-alpine`, `redis:7.4-alpine`, `otel/opentelemetry-collector-contrib:0.115.0`) plus two viewers gated behind Compose profiles: - `--profile dbtools` → `sosedoff/pgweb:0.16.2` (Postgres GUI on port 8081) - `--profile observability` → `jaegertracing/all-in-one:1.62` (Jaeger UI on 16686) - All ports overridable via `.env`. State in named volumes. Healthchecks on data services. - **`infra/local/.env.example`** — credentials + ports template. `POSTGRES_PASSWORD` and `REDIS_PASSWORD` are mandatory (compose refuses to boot without them); other keys default sensibly. - **`infra/local/init/postgres/01-init.sql`** — bootstrap SQL per **ADR-0013**: `audit_owner` / `audit_writer` / `audit_reader` / `audit_archiver` roles + `audit` schema. Default privileges encode the append-only contract (INSERT to writer, SELECT to reader, DELETE to archiver, no UPDATE/TRUNCATE to anyone). Applied on first Postgres boot only; documented re-run procedure. - **`infra/local/otel-collector.yaml`** — pipeline: OTLP gRPC/HTTP → batch → debug exporter (always) + forward to `jaeger:4317`. When the observability profile is off, the Jaeger export logs warn-level retries but doesn't block the debug pipeline. ### Surrounding doc updates - **`infra/README.md`** — new "Local-dev stack" section: service inventory, port table, first-time setup walkthrough, persistence/bootstrap-replay tips. The previous `local/` placeholder line is removed. - **`docs/development.md`** §3 — rewritten to walk through the compose-based setup; cross-links to `infra/README.md` for the full reference. Roadmap entry for "Local infra recipe" removed from §8 (now implemented); "Observability dev-loop" line adjusted to point at the new Jaeger profile. ### Out of scope - **Production parity** — HA Postgres, Redis Sentinel, real OTel backend (Tempo / Loki / etc.) — defer to the on-prem infrastructure ADR (phase 3b). The dev-only nature of this stack is called out explicitly in `infra/README.md`. - **Wiring the BFF** to actually use these endpoints (NestJS config, Prisma datasource URL, OTel SDK init) — that's the **B — Observability foundations** chantier, next up. ## Test plan - [ ] `cd infra/local && cp .env.example .env && docker compose -f dev.compose.yml up -d` → all three core services come up healthy; verify with `docker compose ps`. - [ ] `psql postgres://portal:<pwd>@localhost:5432/portal_dev -c "\dn"` shows the `audit` schema; `\dg` shows the four audit roles. - [ ] `redis-cli -a <pwd> PING` → `PONG`. - [ ] Send a fake OTLP trace via grpcurl → see it printed by `docker compose logs otel-collector`. - [ ] `--profile dbtools up -d` → http://localhost:8081 shows pgweb UI, can navigate to the audit schema. - [ ] `--profile observability up -d` → http://localhost:16686 shows Jaeger UI; collector logs no longer report Jaeger export retries. - [ ] `docker compose down -v` cleanly removes everything; next `up -d` re-runs the bootstrap SQL. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #57 |
||
|
|
a93ee16091 |
chore(deps): update dependency lint-staged to v17.0.3 (#55)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [lint-staged](https://github.com/lint-staged/lint-staged) | devDependencies | patch | [`17.0.2` -> `17.0.3`](https://renovatebot.com/diffs/npm/lint-staged/17.0.2/17.0.3) | --- ### Release Notes <details> <summary>lint-staged/lint-staged (lint-staged)</summary> ### [`v17.0.3`](https://github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#1703) [Compare Source](https://github.com/lint-staged/lint-staged/compare/v17.0.2...v17.0.3) ##### Patch Changes - [#​1782](https://github.com/lint-staged/lint-staged/pull/1782) [`06813f9`](https://github.com/lint-staged/lint-staged/commit/06813f9ab661db987e7720086ef9ec3f552ee097) Thanks [@​iiroj](https://github.com/iiroj)! - Fix *lint-staged* behavior when implicitly committing files without using `git add` by either: - `git commit -am "my commit message"` where `-a` (`--all`) means to automatically stage all tracked modified and deleted files - `git commit -m "my commit message" .` where `.` is an example of a [*pathspec*](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-pathspec) where matching files will be staged </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #55 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
8f81b6202e |
chore(ci): add triage guide to Renovate dependency dashboard (#54)
## Summary The Renovate dashboard organises pending updates in standard sections (Open / Awaiting Schedule / Pending Approval / Detected dependencies / …). The section headings alone aren't self-explanatory, so the patch+minor vs major distinction we set up via `dependencyDashboardApproval: true` for majors gets lost in the noise. Add a `dependencyDashboardHeader` markdown block that: - maps each section → the triage action expected (batch-merge / leave alone / read-changelog-then-tick); - re-states the pinned constraints visible right at the top: Prisma majors blocked per ADR-0006, Trivy/gitleaks workflow pins not Renovate-tracked; - cross-links to `docs/development.md` for the full procedure (lighter CI on bot PRs, etc.). ## Test plan - [ ] After merge, trigger Renovate manually (Actions → Renovate → Run workflow). - [ ] The "Renovate Dependency Dashboard" issue body now starts with the triage table; sections below are unchanged. - [ ] Pending major bumps (e.g. anything Renovate now holds for approval) are clearly distinguishable from the patch/minor batch. ## After this PR Triage the dashboard with the new guide; once that wave is digested, on to **A — local infra recipe**. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #54 |
||
|
|
caf730bc40 |
chore(deps): update jest monorepo to v30.4.1 (#53)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jest](https://jestjs.io/) ([source](https://github.com/jestjs/jest/tree/HEAD/packages/jest)) | devDependencies | minor | [`30.3.0` -> `30.4.1`](https://renovatebot.com/diffs/npm/jest/30.3.0/30.4.1) | | [jest-environment-node](https://github.com/jestjs/jest) ([source](https://github.com/jestjs/jest/tree/HEAD/packages/jest-environment-node)) | devDependencies | minor | [`30.3.0` -> `30.4.1`](https://renovatebot.com/diffs/npm/jest-environment-node/30.3.0/30.4.1) | | [jest-util](https://github.com/jestjs/jest) ([source](https://github.com/jestjs/jest/tree/HEAD/packages/jest-util)) | devDependencies | minor | [`30.3.0` -> `30.4.1`](https://renovatebot.com/diffs/npm/jest-util/30.3.0/30.4.1) | --- ### Release Notes <details> <summary>jestjs/jest (jest)</summary> ### [`v30.4.1`](https://github.com/jestjs/jest/blob/HEAD/CHANGELOG.md#3041) [Compare Source](https://github.com/jestjs/jest/compare/v30.4.0...v30.4.1) ##### Features - `[jest-config, jest-core, jest-runner, jest-schemas, jest-types]` Allow custom runner configuration options via tuple format `['runner-path', {options}]` ([#​16141](https://github.com/jestjs/jest/pull/16141)) ##### Fixes - `[jest-runtime]` Align CJS-from-ESM default export with Node: `module.exports` is always the ESM default, `__esModule` unwrapping is no longer applied ([#​16143](https://github.com/jestjs/jest/pull/16143)) ### [`v30.4.0`](https://github.com/jestjs/jest/blob/HEAD/CHANGELOG.md#3040) [Compare Source](https://github.com/jestjs/jest/compare/v30.3.0...v30.4.0) ##### Features - `[babel-jest]` Support collecting coverage from `.mts`, `.cts` (and other) files ([#​15994](https://github.com/jestjs/jest/pull/15994)) - `[jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types]` Add `--collect-tests` flag to discover and list tests without executing them ([#​16006](https://github.com/jestjs/jest/pull/16006)) - `[jest-config, jest-runner, jest-worker]` Add `workerGracefulExitTimeout` config option to control how long workers are given to exit before being force-killed ([#​15984](https://github.com/jestjs/jest/pull/15984)) - `[jest-config]` Add support for `jest.config.mts` as a valid configuration file ([#​16005](https://github.com/jestjs/jest/pull/16005)) - `[jest-config, jest-core, jest-reporters, jest-runner]` `verbose` and `silent` can now be set per-project; the project-level value overrides the global value for that project's tests ([#​16133](https://github.com/jestjs/jest/pull/16133)) - `[@jest/fake-timers]` Accept `Temporal.Duration` in `jest.advanceTimersByTime()` and `jest.advanceTimersByTimeAsync()` ([#​16128](https://github.com/jestjs/jest/pull/16128)) - `[@jest/fake-timers]` Accept `Temporal.Instant` and `Temporal.ZonedDateTime` in `jest.setSystemTime()` and `useFakeTimers({now})` ([#​16128](https://github.com/jestjs/jest/pull/16128)) - `[@jest/fake-timers]` Support faking `Temporal.Now.*` ([#​16131](https://github.com/jestjs/jest/pull/16131)) - `[jest-mock]` Add `clearMocksOnScope(scope)` on `ModuleMocker` for clearing every mock function exposed on a scope object ([#​16088](https://github.com/jestjs/jest/pull/16088)) - `[jest-resolve]` Add `canResolveSync()` on `Resolver` so callers can detect when a user-configured resolver only exports an `async` hook ([#​16064](https://github.com/jestjs/jest/pull/16064)) - `[jest-runtime]` Use synchronous `evaluate()` for ES modules without top-level `await` on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured ([#​16062](https://github.com/jestjs/jest/pull/16062)) - `[jest-runtime]` Support `require()` of ES modules on Node v24.9+ ([#​16074](https://github.com/jestjs/jest/pull/16074)) - `[jest-runtime]` Validate TC39 import attributes (`with { type: 'json' }`) on ESM imports ([#​16127](https://github.com/jestjs/jest/pull/16127)) - `[@jest/transform]` Add `canTransformSync(filename)` on `ScriptTransformer` so callers can pick the sync vs async transform path ([#​16062](https://github.com/jestjs/jest/pull/16062)) - `[jest-util]` Add `isError` helper ([#​16076](https://github.com/jestjs/jest/pull/16076)) - `[pretty-format]` Support React 19 ([#​16123](https://github.com/jestjs/jest/pull/16123)) ##### Fixes - `[expect-utils]` Fix `toStrictEqual` failing on `structuredClone` results due to cross-realm constructor mismatch ([#​15959](https://github.com/jestjs/jest/pull/15959)) - `[@jest/expect-utils]` Prevent `toMatchObject`/subset matching from throwing when encountering exotic iterables ([#​15952](https://github.com/jestjs/jest/pull/15952)) - `[fake-timers]` Convert `Date` to milliseconds before passing to `@sinonjs/fake-timers` ([#​16029](https://github.com/jestjs/jest/pull/16029)) - `[jest]` Export `GlobalConfig` and `ProjectConfig` TypeScript types ([#​16132](https://github.com/jestjs/jest/pull/16132)) - `[jest-circus]` Prevent crash when `asyncError` is undefined for non-Error throws ([#​16003](https://github.com/jestjs/jest/pull/16003)) - `[jest-circus, jest-jasmine2]` Include `Error.cause` in JSON `failureMessages` output ([#​15967](https://github.com/jestjs/jest/pull/15967)) - `[jest-config]` Fix preset path resolution on Windows when the preset uses subpath `exports` ([#​15961](https://github.com/jestjs/jest/pull/15961)) - `[jest-config]` Allow `collectCoverage` and `coverageProvider` in project config without a validation warning ([#​16132](https://github.com/jestjs/jest/pull/16132)) - `[jest-config]` Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options ([#​16132](https://github.com/jestjs/jest/pull/16132)) - `[jest-environment-node]` Fix `--localstorage-file` warning on Node 25+ ([#​16086](https://github.com/jestjs/jest/pull/16086)) - `[jest-reporters]` Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds ([#​16137](https://github.com/jestjs/jest/pull/16137)) - `[jest-reporters, jest-runner, jest-runtime, jest-transform]` Fix coverage report not showing correct code coverage when using `projects` config option ([#​16140](https://github.com/jestjs/jest/pull/16140)) - `[jest-runtime]` Resolve `expect` and `@jest/expect` from the internal module registry so test-file imports share the same `JestAssertionError` as the global `expect` ([#​16130](https://github.com/jestjs/jest/pull/16130)) - `[jest-runtime]` Improve CJS-from-ESM interop: `__esModule`/Babel default unwrap, broader named-export coverage, and shared CJS singleton across importers ([#​16050](https://github.com/jestjs/jest/pull/16050)) - `[jest-runtime]` Load `.js` files with ESM syntax but no `"type":"module"` marker as native ESM ([#​16050](https://github.com/jestjs/jest/pull/16050)) - `[jest-runtime]` Extend the `.js`-with-ESM-syntax fallback to `require()` on Node v24.9+ - falls back to `require(esm)` when the CJS parser rejects ESM syntax ([#​16078](https://github.com/jestjs/jest/pull/16078)) - `[jest-runtime]` Fix deadlocks and double-evaluation in concurrent ESM and wasm imports ([#​16050](https://github.com/jestjs/jest/pull/16050)) - `[jest-runtime]` Fix error when `require()` is called after the Jest environment has been torn down ([#​15951](https://github.com/jestjs/jest/pull/15951)) - `[jest-runtime]` Fix missing error when `import()` is called after the Jest environment has been torn down ([#​16080](https://github.com/jestjs/jest/pull/16080)) - `[jest-runtime]` Fix virtual `unstable_mockModule` registrations not respected in ESM ([#​16081](https://github.com/jestjs/jest/pull/16081)) - `[jest-runtime]` Apply `moduleNameMapper` when resolving modules with `require.resolve()` and the `paths` option ([#​16135](https://github.com/jestjs/jest/pull/16135)) ##### Chore & Maintenance - `[@jest/fake-timers]` Upgrade `@sinonjs/fake-timers` ([#​16139](https://github.com/jestjs/jest/pull/16139)) - `[jest-runtime]` Use synchronous `linkRequests` / `instantiate` for ESM linking on Node v24.9+ ([#​16063](https://github.com/jestjs/jest/pull/16063)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #53 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
48e7a72f61 |
chore(deps): update dependency @types/node to v24.12.3 (#52)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`24.12.2` -> `24.12.3`](https://renovatebot.com/diffs/npm/@types%2fnode/24.12.2/24.12.3) | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #52 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4739fc4f9b |
fix(deps): update angular to v21.2.10 (#47)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@angular-devkit/core](https://github.com/angular/angular-cli) | devDependencies | patch | [`21.2.9` -> `21.2.10`](https://renovatebot.com/diffs/npm/@angular-devkit%2fcore/21.2.9/21.2.10) | | [@angular-devkit/schematics](https://github.com/angular/angular-cli) | devDependencies | patch | [`21.2.9` -> `21.2.10`](https://renovatebot.com/diffs/npm/@angular-devkit%2fschematics/21.2.9/21.2.10) | | [@angular/build](https://github.com/angular/angular-cli) | devDependencies | patch | [`21.2.9` -> `21.2.10`](https://renovatebot.com/diffs/npm/@angular%2fbuild/21.2.9/21.2.10) | | [@angular/cli](https://github.com/angular/angular-cli) | devDependencies | patch | [`21.2.9` -> `21.2.10`](https://renovatebot.com/diffs/npm/@angular%2fcli/21.2.9/21.2.10) | | [@angular/common](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/common)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcommon/21.2.11/21.2.12) | | [@angular/compiler](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/compiler)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcompiler/21.2.11/21.2.12) | | [@angular/compiler-cli](https://github.com/angular/angular/tree/main/packages/compiler-cli) ([source](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli)) | devDependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcompiler-cli/21.2.11/21.2.12) | | [@angular/core](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/core)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcore/21.2.11/21.2.12) | | [@angular/forms](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/forms)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fforms/21.2.11/21.2.12) | | [@angular/language-service](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/language-service)) | devDependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2flanguage-service/21.2.11/21.2.12) | | [@angular/platform-browser](https://github.com/angular/angular) ([source](https://github.com/angular/angular/tree/HEAD/packages/platform-browser)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2fplatform-browser/21.2.11/21.2.12) | | [@angular/router](https://github.com/angular/angular/tree/main/packages/router) ([source](https://github.com/angular/angular/tree/HEAD/packages/router)) | dependencies | patch | [`21.2.11` -> `21.2.12`](https://renovatebot.com/diffs/npm/@angular%2frouter/21.2.11/21.2.12) | | [@schematics/angular](https://github.com/angular/angular-cli) | devDependencies | patch | [`21.2.9` -> `21.2.10`](https://renovatebot.com/diffs/npm/@schematics%2fangular/21.2.9/21.2.10) | --- ### Release Notes <details> <summary>angular/angular-cli (@​angular-devkit/core)</summary> ### [`v21.2.10`](https://github.com/angular/angular-cli/blob/HEAD/CHANGELOG.md#21210-2026-05-06) [Compare Source](https://github.com/angular/angular-cli/compare/v21.2.9...v21.2.10) ##### [@​angular/cli](https://github.com/angular/cli) | Commit | Type | Description | | --------------------------------------------------------------------------------------------------- | ---- | ----------------------------------------------------------------------- | | [bb8611913](https://github.com/angular/angular-cli/commit/bb861191328fc2d25bd5ee99b0c8edc5e49d3a7d) | fix | restrict MCP workspace access to allowed client roots during resolution | <!-- CHANGELOG SPLIT MARKER --> </details> <details> <summary>angular/angular (@​angular/common)</summary> ### [`v21.2.12`](https://github.com/angular/angular/blob/HEAD/CHANGELOG.md#21212-2026-05-06) [Compare Source](https://github.com/angular/angular/compare/v21.2.11...v21.2.12) ##### core | Commit | Type | Description | | -- | -- | -- | | [fe13bb669d](https://github.com/angular/angular/commit/fe13bb669d2bfab4713623d17b41c430aa0a61d8) | fix | allow explicit read generic with signal input transforms | | [3430251fef](https://github.com/angular/angular/commit/3430251fef93f6aec1fa9c7867e85df23f67c9a0) | fix | i18n flags leaking on errors | | [1aeebbe304](https://github.com/angular/angular/commit/1aeebbe3048b5aa612dd0a5448de9883ed51e7e8) | fix | respect ngSkipHydration on components with projectable nodes in LContainers | | [9e38ed7d57](https://github.com/angular/angular/commit/9e38ed7d5773a9193ba07afdba3f7a9f2fe02d18) | fix | sanitizer typings | | [7a05a9a71a](https://github.com/angular/angular/commit/7a05a9a71a5ab75042ec5560c01526de6e61e062) | fix | validate security-sensitive attributes in i18n bindings | | [c37f6ca42f](https://github.com/angular/angular/commit/c37f6ca42f263353cb9563fa90d7b31d3c7837ca) | fix | visit ng-let expression value in signal migration schematics | ##### forms | Commit | Type | Description | | -- | -- | -- | | [03ad53863b](https://github.com/angular/angular/commit/03ad53863bf3c368f0f02a4322d4141e8f70f674) | fix | prohibit concurrent submits in signal forms | <!-- CHANGELOG SPLIT MARKER --> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #47 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
0d21129bad |
chore(deps): update dependency vite to v8.0.11 (#46)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | patch | [`8.0.10` -> `8.0.11`](https://renovatebot.com/diffs/npm/vite/8.0.10/8.0.11) | --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.11`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8011-2026-05-07-small) [Compare Source](https://github.com/vitejs/vite/compare/v8.0.10...v8.0.11) ##### Features - update rolldown to 1.0.0-rc.18 ([#​22360](https://github.com/vitejs/vite/issues/22360)) ([3f80524](https://github.com/vitejs/vite/commit/3f80524aa1fa40bfa831f1a1bf2641c3979ba396)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#​22334](https://github.com/vitejs/vite/issues/22334)) ([672c962](https://github.com/vitejs/vite/commit/672c96288fd5440bbecddc65551e713edeb8d403)) - **deps:** update all non-major dependencies ([#​22382](https://github.com/vitejs/vite/issues/22382)) ([5c0cfcb](https://github.com/vitejs/vite/commit/5c0cfcb83dde2c6e25b6c3215dd622956bf29631)) - **glob:** align hmr matcher options with glob enumeration ([#​22306](https://github.com/vitejs/vite/issues/22306)) ([30028f9](https://github.com/vitejs/vite/commit/30028f94516fa06dd0212567373169b3b3f6e393)) - make separate object instance for each environment ([#​22276](https://github.com/vitejs/vite/issues/22276)) ([7c2aa3b](https://github.com/vitejs/vite/commit/7c2aa3b40ba00ce1299e4f31932c7929f179a80a)) ##### Documentation - **create-vite:** list react-compiler templates in README ([#​22347](https://github.com/vitejs/vite/issues/22347)) ([7c3a61f](https://github.com/vitejs/vite/commit/7c3a61f42da6445904e93f0e29e9a2a838fa684a)) - explain mergeConfig skips null/undefined ([#​22325](https://github.com/vitejs/vite/issues/22325)) ([2151f70](https://github.com/vitejs/vite/commit/2151f701dc98270c905c540b209fb6d23d53d3ad)) - mention native config loader in CLI options ([#​22348](https://github.com/vitejs/vite/issues/22348)) ([0420c5d](https://github.com/vitejs/vite/commit/0420c5d37b6049476b6e6c16662be372575dd683)) - update evan's x handle ([640202a](https://github.com/vitejs/vite/commit/640202a2167b0c19b94e4d3b8ff87309ae1f44d0)) ##### Miscellaneous Chores - **deps:** update dependency tsdown to ^0.21.10 ([#​22333](https://github.com/vitejs/vite/issues/22333)) ([3b51e05](https://github.com/vitejs/vite/commit/3b51e050214c5a817c163838ab8643fe34c7d0c3)) - **deps:** update rolldown-related dependencies ([#​22383](https://github.com/vitejs/vite/issues/22383)) ([555ff36](https://github.com/vitejs/vite/commit/555ff36de70a43b3b3dc22f958bf78fe75e11d67)) - **deps:** update transitive packages to fix npm audit alerts ([#​22316](https://github.com/vitejs/vite/issues/22316)) ([86aee62](https://github.com/vitejs/vite/commit/86aee6268aa879d74f68a890392c1dee973ebf05)) ##### Code Refactoring - devtools integration ([#​22312](https://github.com/vitejs/vite/issues/22312)) ([3c8bf06](https://github.com/vitejs/vite/commit/3c8bf064ec76e311f2d8be3a37dcfdcdd4e4253c)) - remove unnecessary async ([#​22296](https://github.com/vitejs/vite/issues/22296)) ([b31fd35](https://github.com/vitejs/vite/commit/b31fd355d93eb166573362bd09c07745b9f76755)) - show direct path type in bad character warning ([#​22339](https://github.com/vitejs/vite/issues/22339)) ([0c162e9](https://github.com/vitejs/vite/commit/0c162e96a6545c93808e7338b9adeca2636596fa)) ##### Tests - **create-vite:** use short help alias ([#​22389](https://github.com/vitejs/vite/issues/22389)) ([994ab66](https://github.com/vitejs/vite/commit/994ab66bc4dc872278d8353d710ffc4bbd881f8d)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/46 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
a0e8e095d0 |
fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
## Summary First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them. Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source. - **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install. - **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install. - **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check. The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs. Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history). ## Test plan - [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected). - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan. ## After this PR With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #51 |
||
|
|
0d27f835c3 |
fix(ci): replace gitleaks-action with manual install (#50)
## Summary `gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out: ``` 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. ``` Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial. Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI. ## Scope of the PR The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency. - **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway). - **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers). - `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts). ## Trade-off Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps. ## Test plan - [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓). - [ ] `gitleaks version` line in the install step's logs shows `8.21.0`. - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #50 |
||
|
|
2cc795a9fd |
fix(ci): restrict Trivy to vulnerability scanner only (#49)
## Summary First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in `.pnpm-store/v10/files/...`. None of them are our secrets. Two observations: - The `scan` job already chains `gitleaks/gitleaks-action@v2` right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface. - Trivy's own log suggests `--scanners vuln` when secret scanning isn't the focus. And [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md) always framed this step as "dependency vulnerability scan" — singular. Restrict Trivy to `--scanners vuln`. Result: vuln scan against `pnpm-lock.yaml` complementing `pnpm audit` (which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source. No `--skip-dirs` change needed: vuln scanning reads `pnpm-lock.yaml`, not the unpacked store. ## Test plan - [ ] `scan` job goes green end-to-end on this PR — `pnpm ci:audit` ✓, `Install Trivy` ✓, `Run Trivy` ✓ (no secret findings reported), `gitleaks` ✓. - [ ] On `push` to main post-merge, scan stays green. - [ ] Future Trivy bumps (manual, see workflow comment) keep this `--scanners vuln` flag. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #49 |
||
|
|
6fc26db1b5 |
fix(ci): restrict Trivy to vulnerability scanner only (#48)
## Summary First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in `.pnpm-store/v10/files/...`. None of them are our secrets. Two observations: - The `scan` job already chains `gitleaks/gitleaks-action@v2` right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface. - Trivy's own log suggests `--scanners vuln` when secret scanning isn't the focus. And [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md) always framed this step as "dependency vulnerability scan" — singular. Restrict Trivy to `--scanners vuln`. Result: vuln scan against `pnpm-lock.yaml` complementing `pnpm audit` (which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source. No `--skip-dirs` change needed: vuln scanning reads `pnpm-lock.yaml`, not the unpacked store. ## Test plan - [ ] `scan` job goes green end-to-end on this PR — `pnpm ci:audit` ✓, `Install Trivy` ✓, `Run Trivy` ✓ (no secret findings reported), `gitleaks` ✓. - [ ] On `push` to main post-merge, scan stays green. - [ ] Future Trivy bumps (manual, see workflow comment) keep this `--scanners vuln` flag. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #48 |
||
|
|
57a08c3b71 |
fix(ci): replace trivy-action with manual curl install (#45)
## Summary PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit. Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact. ## Side benefits - **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern. - **Predictable** — straight curl + tar, no third-party action indirection to debug. - `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises. ## Trade-off Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable. ## Test plan - [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed. - [ ] `trivy --version` in the install step's logs reports `0.70.0`. - [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`. - [ ] On `push` to main post-merge, scan stays green. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #45 |
||
|
|
6153c81602 |
fix(ci): authenticate trivy-action's github.com clone (#44)
## Summary On cache miss, `aquasecurity/trivy-action@master` falls back to `git clone https://github.com/aquasecurity/trivy` to fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" in `infra/README.md`), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit: Pass `GITHUBCOM_TOKEN` (same zero-scope github.com PAT used for Renovate) as `GITHUB_TOKEN` env on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h. ## Test plan - [ ] `scan` job goes green on this PR (the trivy step in particular). - [ ] On `push` to main post-merge, scan stays green. - [ ] No regression on the audit / gitleaks sub-steps of `scan`. ## Related - The deeper fix (re-enabling the act_runner cache server so trivy gets a real cache hit and skips the clone entirely) is tracked as "Cache server (deferred)" in `infra/README.md`. Worth doing eventually; this PR is the surgical fix. - The `@master` pin on the trivy-action is also worth replacing with a tagged version (`renovate.json` will surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #44 |
||
|
|
f5d3697466 |
fix(deps): revert TS6/ESLint10/webpack-cli7 majors and gate future majors (#43)
## Summary Three Renovate major bumps merged silently because `nx affected` doesn't see deps-only PRs as affecting any project — CI passed trivially, the breakage only surfaced when `nx run-many` was run locally: - **TypeScript 5→6** (#33) — `tsconfig.lib.json` fails with `TS5101: Option 'baseUrl' is deprecated`. Revert to 5.9.x. - **ESLint 9→10** (#36) — `@nx/eslint@22.7.1` not compatible: project graph fails with "Unable to find eslint". Revert eslint, `@eslint/js`, `jsonc-eslint-parser`, `eslint-plugin-playwright` to ESLint-9-compatible versions. - **webpack-cli 5→7** (#34) — webpack-cli 7 removed the `--node-env=production` flag Nx generates. Revert to 5.x. Bonus side-fix: the `ajv@<8.18.0` override added in #42 was over-broad and was forcing ESLint's bundled ajv to v8 (incompatible with ESLint 9's option contract). Narrow the override to `@angular-devkit/core>ajv@<8.18.0` so only the targeted nestjs-prisma chain is bumped. ## Prevention — gate majors behind the dependency dashboard Add a Renovate `packageRule` with `dependencyDashboardApproval: true` for `matchUpdateTypes: ["major"]`. Renovate stops auto-creating PRs for majors; they appear as checkboxes in the dashboard issue, and only get a PR after a human ticks the box (presumably after reading the changelog and confirming Nx-plugin / Angular / NestJS readiness). This is the surgical fix for the gap. The deeper fix (making `nx affected` correctly mark all projects as affected on package.json changes) is a separate investigation worth doing later — but the dashboard gate prevents the same trap regardless. ## Verification Locally on this branch: - `pnpm exec nx run-many -t lint test build --parallel=2` → ✓ 8 projects pass. - `pnpm audit --audit-level=moderate` → 0 vulnerabilities. ## Test plan - [ ] `check` job goes green on this PR (would have caught the regressions if `nx affected` were broader). - [ ] After merge, the next Renovate run does not create new PRs for any major (TS, eslint, webpack-cli, etc.). - [ ] Any pending major in the dashboard issue still appears, but only as a checkbox awaiting approval. ## Out of scope (follow-up) Investigate why `nx affected` misses package.json-only changes. Likely a missing entry in `nx.json` `namedInputs` (`default`) or `targetDefaults`. Worth its own focused PR; the dashboard gate is the conservative fix in the meantime. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #43 |
||
|
|
25bfba97cb |
chore(deps): pin patched transitive deps via pnpm.overrides (#42)
## Summary
Direct-dep updates from Renovate could not clear the `scan` gate — 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside transitive chains pinned by upstream tooling:
- `nx > axios` (8× CVEs), `nx > yaml`, `nx > follow-redirects`
- `@nx/devkit > minimatch > brace-expansion`
- `nestjs-prisma > @angular-devkit/core > ajv`
- `@angular/cli > @modelcontextprotocol/sdk > express-rate-limit > ip-address`
- `@lhci/cli > tmp`
Patched versions exist upstream but the parents pin tighter ranges. Renovate cannot help here — `pnpm.overrides` with the **upper-bound** form (`pkg@<x.y.z`) is the right tool: it forces patched resolutions today and self-expires once a parent legitimately reaches the patched version (the override stops matching).
After overrides: `pnpm audit --audit-level=moderate` → **0 vulnerabilities**.
## Bonus fix
Lint-staged was running prettier on `pnpm-lock.yaml` because the glob `*.yaml` matched. Tightened the glob to `!(pnpm-lock).{...,yaml}` so the lockfile stays under pnpm's own formatting authority.
## Test plan
- [ ] `scan` job goes green on this PR.
- [ ] No regression on `check` (lint/test/build).
- [ ] On the next deps-bump commit (any future Renovate PR rebased), the local pre-commit hook does **not** reformat `pnpm-lock.yaml`.
## Out of scope (separate follow-up PRs)
While testing locally, two pre-existing regressions on `main` surfaced (introduced by recent Renovate major bumps that passed CI through `nx affected` reporting "nothing affected"):
- **TypeScript 6 (PR #33)** — `tsconfig.lib.json` → `TS5101: Option 'baseUrl' is deprecated` on every lib build.
- **ESLint 10 (PR #36)** — `@nx/eslint@22.7.1` plugin can't resolve eslint, project graph fails.
Both deserve their own investigation before we move on to phase-2 chantiers.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #42
|
||
|
|
6545c3a176 |
chore(deps): update dependency lint-staged to v17 (#41)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [lint-staged](https://github.com/lint-staged/lint-staged) | devDependencies | major | [`^16.4.0` -> `^17.0.0`](https://renovatebot.com/diffs/npm/lint-staged/16.4.0/17.0.2) | --- ### Release Notes <details> <summary>lint-staged/lint-staged (lint-staged)</summary> ### [`v17.0.2`](https://github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#1702) [Compare Source](https://github.com/lint-staged/lint-staged/compare/v17.0.1...v17.0.2) ##### Patch Changes - [#​1779](https://github.com/lint-staged/lint-staged/pull/1779) [`88670ca`](https://github.com/lint-staged/lint-staged/commit/88670ca2278200f6348ed663358895ddc4bfff3c) Thanks [@​iiroj](https://github.com/iiroj)! - Enable immutable GitHub releases ### [`v17.0.1`](https://github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#1701) [Compare Source](https://github.com/lint-staged/lint-staged/compare/v17.0.0...v17.0.1) ##### Patch Changes - [#​1776](https://github.com/lint-staged/lint-staged/pull/1776) [`4a5664b`](https://github.com/lint-staged/lint-staged/commit/4a5664be63af19590ec37940f705dad870ac5cfb) Thanks [@​iiroj](https://github.com/iiroj)! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits. ### [`v17.0.0`](https://github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#1700) [Compare Source](https://github.com/lint-staged/lint-staged/compare/v16.4.0...v17.0.0) ##### Major Changes - [#​1745](https://github.com/lint-staged/lint-staged/pull/1745) [`e244adf`](https://github.com/lint-staged/lint-staged/commit/e244adfab430be95803e74b20acf518517054c9f) Thanks [@​iiroj](https://github.com/iiroj)! - **Node.js v20 is no longer supported, and the oldest supported version is now `22.22.1`**, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version! - [#​1676](https://github.com/lint-staged/lint-staged/pull/1676) [`0584e0b`](https://github.com/lint-staged/lint-staged/commit/0584e0b8824a07ea4d0151f2c17fc37c4905a421) Thanks [@​outslept](https://github.com/outslept)! - *Lint-staged* now tries to verify the installed Git version is at least `2.32.0`, released in 2021. If you're using an even older Git version, you need to [upgrade](https://git-scm.com/install/mac) it before running *lint-staged*! - [#​1745](https://github.com/lint-staged/lint-staged/pull/1745) [`2dcc40a`](https://github.com/lint-staged/lint-staged/commit/2dcc40a1a98aea20d38f76031ac30b278f81682a) Thanks [@​iiroj](https://github.com/iiroj)! - The dependency `yaml` is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately: ```shell npm install --development yaml ``` If you're using `.lintstagedrc` as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to `.lintstagedrc.json` to avoid needing to install `yaml`. ##### Minor Changes - [#​1748](https://github.com/lint-staged/lint-staged/pull/1748) [`809d5ef`](https://github.com/lint-staged/lint-staged/commit/809d5ef0a66edb2b26b233d33ce8e14af6c978e7) Thanks [@​iiroj](https://github.com/iiroj)! - Add new option `--hide-all` for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like [Knip](https://knip.dev) which check for unused code. Untracked files are included in the backup stash and restored automatically after running. - [#​1759](https://github.com/lint-staged/lint-staged/pull/1759) [`f13045a`](https://github.com/lint-staged/lint-staged/commit/f13045a5eae28c3233fc37146b0e1f51739c254b) Thanks [@​iiroj](https://github.com/iiroj)! - Update dependencies, including [`tinyexec@1.1.1`](https://github.com/tinylibs/tinyexec/releases/tag/1.1.1) to fix the following issues: - When using a Node.js version manager with multiple versions installed ([nvm](https://github.com/nvm-sh/nvm), [n](https://github.com/tj/n), for example), scripts with the `#!/usr/bin/env node` shebang ([Prettier](https://github.com/prettier/prettier), [ESLint](https://github.com/eslint/eslint), for example) were previously spawned using the default Node.js version configured by the version manager (the one `which node` points to) on POSIX systems. Now, they will be spawned with the same version that *lint-staged* itself was started with. - For example, if your default Node.js version is 24.14.1 but *lint-staged* is run with the latest version 25.9.0, the tasks spawned by *lint-staged* will now also use version 25.9.0. Previously they were spawned using 24.14.1. - When installing Node.js from the Ubuntu App Center ([Snap store](https://snapcraft.io/store)), the `node` executable available in `PATH` is a symlink pointing to Snap itself. The sandboxing features of Snap prevented *lint-staged* from spawning scripts with the `#!/usr/bin/env node` shebang, because it meant *lint-staged* tried to spawn Snap via the symlink. This resulted in an `ENOENT` error when trying to run `prettier`, for example. Now, since the real `node` executable's directory is available in the `PATH`, *lint-staged* will instead spawn the script with the real `node` binary succesfully. - [#​1761](https://github.com/lint-staged/lint-staged/pull/1761) [`d3251b1`](https://github.com/lint-staged/lint-staged/commit/d3251b192d7116f059e7cabeffa3bfd7788dedeb) Thanks [@​iiroj](https://github.com/iiroj)! - *Lint-staged* now runs `git update-index --again` after running tasks, instead of `git add <originally staged files>`. This should improve compatibility when using non-default indexes, for example when committing with a pathspec `git commit -m "message" .` instead of adding files to the index. - [#​1745](https://github.com/lint-staged/lint-staged/pull/1745) [`a9585ac`](https://github.com/lint-staged/lint-staged/commit/a9585ac7ce0162c5c6c9aa88a28c11c812abedaf) Thanks [@​iiroj](https://github.com/iiroj)! - Remove `commander` as a dependency and use the built-in `parseArgs` from `node:util` to parse CLI flags. ##### Patch Changes - [#​1755](https://github.com/lint-staged/lint-staged/pull/1755) [`c82d30b`](https://github.com/lint-staged/lint-staged/commit/c82d30bda8c80f886bdfead2e7aa123f7337aa76) Thanks [@​iiroj](https://github.com/iiroj)! - All tests now pass on the [Bun](https://bun.com) runtime (latest). - [#​1750](https://github.com/lint-staged/lint-staged/pull/1750) [`a401818`](https://github.com/lint-staged/lint-staged/commit/a4018185016617b02e4473d14e036a5f1a9b3f85) Thanks [@​iiroj](https://github.com/iiroj)! - Remove manual handling for `git stash --keep-index` resurrecting deleted files, because the issue was fixed in Git `2.23.0` and *lint-staged* requires at least Git `2.32.0`. - [#​1771](https://github.com/lint-staged/lint-staged/pull/1771) [`c4b8936`](https://github.com/lint-staged/lint-staged/commit/c4b893665bf39670650ae71b4ec2073025e9984e) Thanks [@​iiroj](https://github.com/iiroj)! - Fix documentation about multiple config files and the `--cwd` option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual `process.cwd()`, use `lint-staged --cwd="."`. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #41 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4a73d2e8db |
chore(deps): update pnpm to v10.33.4 (#40)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://github.com/pnpm/pnpm/tree/HEAD/pnpm)) | packageManager | patch | [`10.33.3` -> `10.33.4`](https://renovatebot.com/diffs/npm/pnpm/10.33.3/10.33.4) | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v10.33.4`](https://github.com/pnpm/pnpm/releases/tag/v10.33.4): pnpm 10.33.4 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.3...v10.33.4) #### Patch Changes - Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. - Fix a regression where `pnpm --recursive --filter '!<pkg>' run/exec/test/add` would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative `--filter` arguments are provided, matching the [documented behavior](https://pnpm.io/cli/recursive). To include the root, pass `--include-workspace-root` [#​11341](https://github.com/pnpm/pnpm/issues/11341). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/40 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
8bb2d7b43f |
chore(deps): defer Prisma major updates pending coordinated upgrade ADR (#39)
## Summary Renovate kept proposing Prisma 7 even though we deliberately downgraded to Prisma 6 in #3 — `nestjs-prisma@0.27.0` is incompatible with Prisma 7's driver-adapter contract, and the upgrade is non-trivial enough to warrant its own ADR rather than a silent Renovate merge. - **`renovate.json`** — add `enabled: false` packageRule for `matchUpdateTypes: ["major"]` on `prisma`, `@prisma/*`, `nestjs-prisma`. Patch and minor bumps of the 6.x line keep flowing. - **ADR-0006** — new "Prisma version pin: 6.x in v1" subsection records the narrowing of "latest stable major" to 6.x and the two triggers for revisiting: 1. `nestjs-prisma` ships a release supporting Prisma 7, or 2. We decide to drop `nestjs-prisma` for a hand-rolled `PrismaModule`. Either path needs its own ADR (schema, client instantiation, request-scoped lifecycle all to re-validate). ## Test plan - [ ] Once merged, the open Prisma 7 PR can be closed (see closure comment below) and won't be recreated. - [ ] Next Renovate run confirms no Prisma-major PR is created (check the dependency dashboard issue). - [ ] Next patch/minor of Prisma 6.x still produces a normal grouped "Prisma" PR. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #39 |
||
|
|
68a819d88a |
chore(deps): update eslint (major) (#36)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@eslint/js](https://eslint.org) ([source](https://github.com/eslint/eslint/tree/HEAD/packages/js)) | devDependencies | major | [`^9.8.0` -> `^10.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjs/9.39.4/10.0.1) | | [eslint](https://eslint.org) ([source](https://github.com/eslint/eslint)) | devDependencies | major | [`^9.8.0` -> `^10.0.0`](https://renovatebot.com/diffs/npm/eslint/9.39.4/10.3.0) | | [eslint-plugin-playwright](https://github.com/mskelton/eslint-plugin-playwright) | devDependencies | major | [`^1.6.2` -> `^2.0.0`](https://renovatebot.com/diffs/npm/eslint-plugin-playwright/1.8.3/2.10.2) | --- ### Release Notes <details> <summary>eslint/eslint (@​eslint/js)</summary> ### [`v10.0.1`](https://github.com/eslint/eslint/releases/tag/v10.0.1) [Compare Source](https://github.com/eslint/eslint/compare/v10.0.0...v10.0.1) ##### Bug Fixes - [`c87d5bd`](https://github.com/eslint/eslint/commit/c87d5bded54c5cf491eb04c24c9d09bbbd42c23e) fix: update eslint ([#​20531](https://github.com/eslint/eslint/issues/20531)) (renovate\[bot]) - [`d841001`](https://github.com/eslint/eslint/commit/d84100115c14691691058f00779c94e74fca946a) fix: update `minimatch` to `10.2.1` to address security vulnerabilities ([#​20519](https://github.com/eslint/eslint/issues/20519)) (루밀LuMir) - [`04c2147`](https://github.com/eslint/eslint/commit/04c21475b3004904948f02049f2888b401d82c78) fix: update error message for unused suppressions ([#​20496](https://github.com/eslint/eslint/issues/20496)) (fnx) - [`38b089c`](https://github.com/eslint/eslint/commit/38b089c1726feac0e31a31d47941bd99e29ce003) fix: update dependency [@​eslint/config-array](https://github.com/eslint/config-array) to ^0.23.1 ([#​20484](https://github.com/eslint/eslint/issues/20484)) (renovate\[bot]) ##### Documentation - [`5b3dbce`](https://github.com/eslint/eslint/commit/5b3dbce50a1404a9f118afe810cefeee79388a2a) docs: add AI acknowledgement section to templates ([#​20431](https://github.com/eslint/eslint/issues/20431)) (루밀LuMir) - [`6f23076`](https://github.com/eslint/eslint/commit/6f23076037d5879f20fb3be2ef094293b1e8d38c) docs: toggle nav in no-JS mode ([#​20476](https://github.com/eslint/eslint/issues/20476)) (Tanuj Kanti) - [`b69cfb3`](https://github.com/eslint/eslint/commit/b69cfb32a16c5d5e9986390d484fae1d21e406f9) docs: Update README (GitHub Actions Bot) ##### Chores - [`e5c281f`](https://github.com/eslint/eslint/commit/e5c281ffd038a3a7a3e5364db0b9378e0ad83020) chore: updates for v9.39.3 release (Jenkins) - [`8c3832a`](https://github.com/eslint/eslint/commit/8c3832adb77cd993b4a24891900d5eeaaf093cdc) chore: update [@​typescript-eslint/parser](https://github.com/typescript-eslint/parser) to ^8.56.0 ([#​20514](https://github.com/eslint/eslint/issues/20514)) (Milos Djermanovic) - [`8330d23`](https://github.com/eslint/eslint/commit/8330d238ae6adb68bb6a1c9381e38cfedd990d94) test: add tests for config-api ([#​20493](https://github.com/eslint/eslint/issues/20493)) (Milos Djermanovic) - [`37d6e91`](https://github.com/eslint/eslint/commit/37d6e91e88fa6a2ca6d8726679096acff21ba6cc) chore: remove eslint v10 prereleases from eslint-config-eslint deps ([#​20494](https://github.com/eslint/eslint/issues/20494)) (Milos Djermanovic) - [`da7cd0e`](https://github.com/eslint/eslint/commit/da7cd0e79197ad16e17052eef99df141de6dbfb1) refactor: cleanup error message templates ([#​20479](https://github.com/eslint/eslint/issues/20479)) (Francesco Trotta) - [`84fb885`](https://github.com/eslint/eslint/commit/84fb885d49ac810e79a9491276b4828b53d913e5) chore: package.json update for [@​eslint/js](https://github.com/eslint/js) release (Jenkins) - [`1f66734`](https://github.com/eslint/eslint/commit/1f667344b57c4c09b548d94bcfac1f91b6e5c63d) chore: add `eslint` to `peerDependencies` of `@eslint/js` ([#​20467](https://github.com/eslint/eslint/issues/20467)) (Milos Djermanovic) ### [`v10.0.0`](https://github.com/eslint/eslint/releases/tag/v10.0.0) [Compare Source](https://github.com/eslint/eslint/compare/v9.39.4...v10.0.0) ##### Breaking Changes - [`f9e54f4`](https://github.com/eslint/eslint/commit/f9e54f43a5e497cdfa179338b431093245cb787b) feat!: estimate rule-tester failure location ([#​20420](https://github.com/eslint/eslint/issues/20420)) (ST-DDT) - [`a176319`](https://github.com/eslint/eslint/commit/a176319d8ade1a7d9b2d7fb8f038f55a2662325f) feat!: replace `chalk` with `styleText` and add `color` to `ResultsMeta` ([#​20227](https://github.com/eslint/eslint/issues/20227)) (루밀LuMir) - [`c7046e6`](https://github.com/eslint/eslint/commit/c7046e6c1e03c4ca0eee4888a1f2eba4c6454f84) feat!: enable JSX reference tracking ([#​20152](https://github.com/eslint/eslint/issues/20152)) (Pixel998) - [`fa31a60`](https://github.com/eslint/eslint/commit/fa31a608901684fbcd9906d1907e66561d16e5aa) feat!: add `name` to configs ([#​20015](https://github.com/eslint/eslint/issues/20015)) (Kirk Waiblinger) - [`3383e7e`](https://github.com/eslint/eslint/commit/3383e7ec9028166cafc8ea7986c2f7498d0049f0) fix!: remove deprecated `SourceCode` methods ([#​20137](https://github.com/eslint/eslint/issues/20137)) (Pixel998) - [`501abd0`](https://github.com/eslint/eslint/commit/501abd0e916a35554c58b7c0365537f1fa3880ce) feat!: update dependency minimatch to v10 ([#​20246](https://github.com/eslint/eslint/issues/20246)) (renovate\[bot]) - [`ca4d3b4`](https://github.com/eslint/eslint/commit/ca4d3b40085de47561f89656a2207d09946ed45e) fix!: stricter rule tester assertions for valid test cases ([#​20125](https://github.com/eslint/eslint/issues/20125)) (唯然) - [`96512a6`](https://github.com/eslint/eslint/commit/96512a66c86402fb0538cdcb6cd30b9073f6bf3b) fix!: Remove deprecated rule context methods ([#​20086](https://github.com/eslint/eslint/issues/20086)) (Nicholas C. Zakas) - [`c69fdac`](https://github.com/eslint/eslint/commit/c69fdacdb2e886b9d965568a397aa8220db3fe90) feat!: remove eslintrc support ([#​20037](https://github.com/eslint/eslint/issues/20037)) (Francesco Trotta) - [`208b5cc`](https://github.com/eslint/eslint/commit/208b5cc34a8374ff81412b5bec2e0800eebfbd04) feat!: Use `ScopeManager#addGlobals()` ([#​20132](https://github.com/eslint/eslint/issues/20132)) (Milos Djermanovic) - [`a2ee188`](https://github.com/eslint/eslint/commit/a2ee188ea7a38a0c6155f3d39e2b00e1d0f36e14) fix!: add `uniqueItems: true` in `no-invalid-regexp` option ([#​20155](https://github.com/eslint/eslint/issues/20155)) (Tanuj Kanti) - [`a89059d`](https://github.com/eslint/eslint/commit/a89059dbf2832d417dd493ee81483227ec44e4ab) feat!: Program range span entire source text ([#​20133](https://github.com/eslint/eslint/issues/20133)) (Pixel998) - [`39a6424`](https://github.com/eslint/eslint/commit/39a6424373d915fa9de0d7b0caba9a4dc3da9b53) fix!: assert 'text' is a string across all RuleFixer methods ([#​20082](https://github.com/eslint/eslint/issues/20082)) (Pixel998) - [`f28fbf8`](https://github.com/eslint/eslint/commit/f28fbf846244e043c92b355b224d121b06140b44) fix!: Deprecate `"always"` and `"as-needed"` options of the `radix` rule ([#​20223](https://github.com/eslint/eslint/issues/20223)) (Milos Djermanovic) - [`aa3fb2b`](https://github.com/eslint/eslint/commit/aa3fb2b233e929b37220be940575f42c280e0b98) fix!: tighten `func-names` schema ([#​20119](https://github.com/eslint/eslint/issues/20119)) (Pixel998) - [`f6c0ed0`](https://github.com/eslint/eslint/commit/f6c0ed0311dcfee853367d5068c765d066e6b756) feat!: report `eslint-env` comments as errors ([#​20128](https://github.com/eslint/eslint/issues/20128)) (Francesco Trotta) - [`4bf739f`](https://github.com/eslint/eslint/commit/4bf739fb533e59f7f0a66b65f7bc80be0f37d8db) fix!: remove deprecated `LintMessage#nodeType` and `TestCaseError#type` ([#​20096](https://github.com/eslint/eslint/issues/20096)) (Pixel998) - [`523c076`](https://github.com/eslint/eslint/commit/523c076866400670fb2192a3f55dbf7ad3469247) feat!: drop support for jiti < 2.2.0 ([#​20016](https://github.com/eslint/eslint/issues/20016)) (michael faith) - [`454a292`](https://github.com/eslint/eslint/commit/454a292c95f34dad232411ddac06408e6383bb64) feat!: update `eslint:recommended` configuration ([#​20210](https://github.com/eslint/eslint/issues/20210)) (Pixel998) - [`4f880ee`](https://github.com/eslint/eslint/commit/4f880ee02992e1bf0e96ebaba679985e2d1295f1) feat!: remove `v10_*` and inactive `unstable_*` flags ([#​20225](https://github.com/eslint/eslint/issues/20225)) (sethamus) - [`f18115c`](https://github.com/eslint/eslint/commit/f18115c363a4ac7671a4c7f30ee13d57ebba330f) feat!: `no-shadow-restricted-names` report `globalThis` by default ([#​20027](https://github.com/eslint/eslint/issues/20027)) (sethamus) - [`c6358c3`](https://github.com/eslint/eslint/commit/c6358c31fbd3937b92d89be2618ffdf5a774604e) feat!: Require Node.js `^20.19.0 || ^22.13.0 || >=24` ([#​20160](https://github.com/eslint/eslint/issues/20160)) (Milos Djermanovic) ##### Features - [`bff9091`](https://github.com/eslint/eslint/commit/bff9091927811497dbf066b0e3b85ecb37d43822) feat: handle `Array.fromAsync` in `array-callback-return` ([#​20457](https://github.com/eslint/eslint/issues/20457)) (Francesco Trotta) - [`290c594`](https://github.com/eslint/eslint/commit/290c594bb50c439fb71bc75521ee5360daa8c222) feat: add `self` to `no-implied-eval` rule ([#​20468](https://github.com/eslint/eslint/issues/20468)) (sethamus) - [`43677de`](https://github.com/eslint/eslint/commit/43677de07ebd6e14bfac40a46ad749ba783c45f2) feat: fix handling of function and class expression names in `no-shadow` ([#​20432](https://github.com/eslint/eslint/issues/20432)) (Milos Djermanovic) - [`f0cafe5`](https://github.com/eslint/eslint/commit/f0cafe5f37e7765e9d8c2751b5f5d33107687009) feat: rule tester add assertion option `requireData` ([#​20409](https://github.com/eslint/eslint/issues/20409)) (fnx) - [`f7ab693`](https://github.com/eslint/eslint/commit/f7ab6937e63bc618d326710858f5861a68f80616) feat: output RuleTester test case failure index ([#​19976](https://github.com/eslint/eslint/issues/19976)) (ST-DDT) - [`7cbcbf9`](https://github.com/eslint/eslint/commit/7cbcbf9c3c2008deee7d143ae35e668e8ffbccb3) feat: add `countThis` option to `max-params` ([#​20236](https://github.com/eslint/eslint/issues/20236)) (Gerkin) - [`f148a5e`](https://github.com/eslint/eslint/commit/f148a5eaa1e89dd80ade62f0a690186b00b9f6e1) feat: add error assertion options ([#​20247](https://github.com/eslint/eslint/issues/20247)) (ST-DDT) - [`09e6654`](https://github.com/eslint/eslint/commit/09e66549ecada6dcb8c567a60faf044fce049188) feat: update error loc of `require-yield` and `no-useless-constructor` ([#​20267](https://github.com/eslint/eslint/issues/20267)) (Tanuj Kanti) ##### Bug Fixes - [`436b82f`](https://github.com/eslint/eslint/commit/436b82f3c0a8cfa2fdc17d173e95ea11d5d3ee03) fix: update eslint ([#​20473](https://github.com/eslint/eslint/issues/20473)) (renovate\[bot]) - [`1d29d22`](https://github.com/eslint/eslint/commit/1d29d22fe302443cec2a11da0816397f94af97ec) fix: detect default `this` binding in `Array.fromAsync` callbacks ([#​20456](https://github.com/eslint/eslint/issues/20456)) (Francesco Trotta) - [`727451e`](https://github.com/eslint/eslint/commit/727451eff55b35d853e0e443d0de58f4550762bf) fix: fix regression of global mode report range in `strict` rule ([#​20462](https://github.com/eslint/eslint/issues/20462)) (ntnyq) - [`e80485f`](https://github.com/eslint/eslint/commit/e80485fcd27196fa0b6f6b5c7ac8cf49ad4b079d) fix: remove fake `FlatESLint` and `LegacyESLint` exports ([#​20460](https://github.com/eslint/eslint/issues/20460)) (Francesco Trotta) - [`9eeff3b`](https://github.com/eslint/eslint/commit/9eeff3bc13813a786b8a4c3815def97c0fb646ef) fix: update esquery ([#​20423](https://github.com/eslint/eslint/issues/20423)) (cryptnix) - [`b34b938`](https://github.com/eslint/eslint/commit/b34b93852d014ebbcf3538d892b55e0216cdf681) fix: use `Error.prepareStackTrace` to estimate failing test location ([#​20436](https://github.com/eslint/eslint/issues/20436)) (Francesco Trotta) - [`51aab53`](https://github.com/eslint/eslint/commit/51aab5393b058f7cbed69041a9069b2bd106aabd) fix: update eslint ([#​20443](https://github.com/eslint/eslint/issues/20443)) (renovate\[bot]) - [`23490b2`](https://github.com/eslint/eslint/commit/23490b266276792896a0b7b43c49a1ce87bf8568) fix: handle space before colon in `RuleTester` location estimation ([#​20433](https://github.com/eslint/eslint/issues/20433)) (Francesco Trotta) - [`f244dbf`](https://github.com/eslint/eslint/commit/f244dbf2191267a4cafd08645243624baf3e8c83) fix: use `MessagePlaceholderData` type from `@eslint/core` ([#​20348](https://github.com/eslint/eslint/issues/20348)) (루밀LuMir) - [`d186f8c`](https://github.com/eslint/eslint/commit/d186f8c0747f14890e86a5a39708b052b391ddaf) fix: update eslint ([#​20427](https://github.com/eslint/eslint/issues/20427)) (renovate\[bot]) - [`2332262`](https://github.com/eslint/eslint/commit/2332262deb4ef3188b210595896bb0ff552a7e66) fix: error location should not modify error message in RuleTester ([#​20421](https://github.com/eslint/eslint/issues/20421)) (Milos Djermanovic) - [`ab99b21`](https://github.com/eslint/eslint/commit/ab99b21a6715dee1035d8f4e6d6841853eb5563f) fix: ensure `filename` is passed as third argument to `verifyAndFix()` ([#​20405](https://github.com/eslint/eslint/issues/20405)) (루밀LuMir) - [`8a60f3b`](https://github.com/eslint/eslint/commit/8a60f3bc80ad96c65feeb29886342623c630199c) fix: remove `ecmaVersion` and `sourceType` from `ParserOptions` type ([#​20415](https://github.com/eslint/eslint/issues/20415)) (Pixel998) - [`eafd727`](https://github.com/eslint/eslint/commit/eafd727a060131f7fc79b2eb5698d8d27683c3a2) fix: remove `TDZ` scope type ([#​20231](https://github.com/eslint/eslint/issues/20231)) (jaymarvelz) - [`39d1f51`](https://github.com/eslint/eslint/commit/39d1f51680d4fbade16b4d9c07ad61a87ee3b1ea) fix: correct `Scope` typings ([#​20404](https://github.com/eslint/eslint/issues/20404)) (sethamus) - [`2bd0f13`](https://github.com/eslint/eslint/commit/2bd0f13a92fb373827f16210aa4748d4885fddb1) fix: update `verify` and `verifyAndFix` types ([#​20384](https://github.com/eslint/eslint/issues/20384)) (Francesco Trotta) - [`ba6ebfa`](https://github.com/eslint/eslint/commit/ba6ebfa78de0b8522cea5ee80179887e92c6c935) fix: correct typings for `loadESLint()` and `shouldUseFlatConfig()` ([#​20393](https://github.com/eslint/eslint/issues/20393)) (루밀LuMir) - [`e7673ae`](https://github.com/eslint/eslint/commit/e7673ae096900330599680efe91f8a199a5c2e59) fix: correct RuleTester typings ([#​20105](https://github.com/eslint/eslint/issues/20105)) (Pixel998) - [`53e9522`](https://github.com/eslint/eslint/commit/53e95222af8561a8eed282fa9fd44b2f320a3c37) fix: strict removed formatters check ([#​20241](https://github.com/eslint/eslint/issues/20241)) (ntnyq) - [`b017f09`](https://github.com/eslint/eslint/commit/b017f094d4e53728f8d335b9cf8b16dc074afda3) fix: correct `no-restricted-import` messages ([#​20374](https://github.com/eslint/eslint/issues/20374)) (Francesco Trotta) ##### Documentation - [`e978dda`](https://github.com/eslint/eslint/commit/e978ddaab7e6a3c38b4a2afa721148a6ef38f29a) docs: Update README (GitHub Actions Bot) - [`4cecf83`](https://github.com/eslint/eslint/commit/4cecf8393ae9af18c4cfd50621115eb23b3d0cb6) docs: Update README (GitHub Actions Bot) - [`c79f0ab`](https://github.com/eslint/eslint/commit/c79f0ab2e2d242a93b08ff2f6a0712e2ef60b7b8) docs: Update README (GitHub Actions Bot) - [`773c052`](https://github.com/eslint/eslint/commit/773c0527c72c09fb5e63c2036b5cb9783f1f04d3) docs: Update README (GitHub Actions Bot) - [`f2962e4`](https://github.com/eslint/eslint/commit/f2962e46a0e8ee8e04d76e9d899f6a7c73a646f1) docs: document `meta.docs.frozen` property ([#​20475](https://github.com/eslint/eslint/issues/20475)) (Pixel998) - [`8e94f58`](https://github.com/eslint/eslint/commit/8e94f58bebfd854eed814a39e19dea4e3c3ee4a3) docs: fix broken anchor links from gerund heading updates ([#​20449](https://github.com/eslint/eslint/issues/20449)) (Copilot) - [`1495654`](https://github.com/eslint/eslint/commit/14956543d42ab542f72820f38941d0bcc39a1fbb) docs: Update README (GitHub Actions Bot) - [`0b8ed5c`](https://github.com/eslint/eslint/commit/0b8ed5c0aa4222a9b6b185c605cfedaef4662dcb) docs: document support for `:is` selector alias ([#​20454](https://github.com/eslint/eslint/issues/20454)) (sethamus) - [`1c4b33f`](https://github.com/eslint/eslint/commit/1c4b33fe8620dcaafbe6e8f4e9515b624476548c) docs: Document policies about ESM-only dependencies ([#​20448](https://github.com/eslint/eslint/issues/20448)) (Milos Djermanovic) - [`3e5d38c`](https://github.com/eslint/eslint/commit/3e5d38cdd5712bef50d440585b0f6669a2e9a9b9) docs: add missing indentation space in rule example ([#​20446](https://github.com/eslint/eslint/issues/20446)) (fnx) - [`63a0c7c`](https://github.com/eslint/eslint/commit/63a0c7c84bf5b12357893ea2bf0482aa3c855bac) docs: Update README (GitHub Actions Bot) - [`65ed0c9`](https://github.com/eslint/eslint/commit/65ed0c94e7cd1e3f882956113228311d8c7b3463) docs: Update README (GitHub Actions Bot) - [`b0e4717`](https://github.com/eslint/eslint/commit/b0e4717d6619ffd02913cf3633b44d8e6953d938) docs: \[no-await-in-loop] Expand inapplicability ([#​20363](https://github.com/eslint/eslint/issues/20363)) (Niklas Hambüchen) - [`fca421f`](https://github.com/eslint/eslint/commit/fca421f6a4eecd52f2a7ae5765bd9008f62f9994) docs: Update README (GitHub Actions Bot) - [`d925c54`](https://github.com/eslint/eslint/commit/d925c54f045b2230d3404e8aa18f4e2860a35e1d) docs: update config syntax in `no-lone-blocks` ([#​20413](https://github.com/eslint/eslint/issues/20413)) (Pixel998) - [`7d5c95f`](https://github.com/eslint/eslint/commit/7d5c95f281cb88868f4e09ca07fbbc6394d78c41) docs: remove redundant `sourceType: "module"` from rule examples ([#​20412](https://github.com/eslint/eslint/issues/20412)) (Pixel998) - [`02e7e71`](https://github.com/eslint/eslint/commit/02e7e7126366fc5eeffb713f865d80a759dc14b0) docs: correct `.mts` glob pattern in files with extensions example ([#​20403](https://github.com/eslint/eslint/issues/20403)) (Ali Essalihi) - [`264b981`](https://github.com/eslint/eslint/commit/264b981101a3cf0c12eba200ac64e5523186a89f) docs: Update README (GitHub Actions Bot) - [`5a4324f`](https://github.com/eslint/eslint/commit/5a4324f38e7ce370038351ef7412dcf8548c105e) docs: clarify `"local"` option of `no-unused-vars` ([#​20385](https://github.com/eslint/eslint/issues/20385)) (Milos Djermanovic) - [`e593aa0`](https://github.com/eslint/eslint/commit/e593aa0fd29f51edea787815ffc847aa723ef1f8) docs: improve clarity, grammar, and wording in documentation site README ([#​20370](https://github.com/eslint/eslint/issues/20370)) (Aditya) - [`3f5062e`](https://github.com/eslint/eslint/commit/3f5062ed5f27eb25414faced2478ae076906874e) docs: Add messages property to rule meta documentation ([#​20361](https://github.com/eslint/eslint/issues/20361)) (Sabya Sachi) - [`9e5a5c2`](https://github.com/eslint/eslint/commit/9e5a5c2b6b368cdacd678eabf36b441bd8bb726c) docs: remove `Examples` headings from rule docs ([#​20364](https://github.com/eslint/eslint/issues/20364)) (Milos Djermanovic) - [`194f488`](https://github.com/eslint/eslint/commit/194f488a8dc97850485afe704d2a64096582f96d) docs: Update README (GitHub Actions Bot) - [`0f5a94a`](https://github.com/eslint/eslint/commit/0f5a94a84beee19f376025c74f703f275d52c94b) docs: \[class-methods-use-this] explain purpose of rule ([#​20008](https://github.com/eslint/eslint/issues/20008)) (Kirk Waiblinger) - [`df5566f`](https://github.com/eslint/eslint/commit/df5566f826d9f5740546e473aa6876b1f7d2f12c) docs: add Options section to all rule docs ([#​20296](https://github.com/eslint/eslint/issues/20296)) (sethamus) - [`adf7a2b`](https://github.com/eslint/eslint/commit/adf7a2b202743a98edc454890574292dd2b34837) docs: no-unsafe-finally note for generator functions ([#​20330](https://github.com/eslint/eslint/issues/20330)) (Tom Pereira) - [`ef7028c`](https://github.com/eslint/eslint/commit/ef7028c9688dc931051a4217637eb971efcbd71b) docs: Update README (GitHub Actions Bot) - [`fbae5d1`](https://github.com/eslint/eslint/commit/fbae5d18854b30ea3b696672c7699cef3ec92140) docs: consistently use "v10.0.0" in migration guide ([#​20328](https://github.com/eslint/eslint/issues/20328)) (Pixel998) - [`778aa2d`](https://github.com/eslint/eslint/commit/778aa2d83e1ef1e2bd1577ee976c5a43472a3dbe) docs: ignoring default file patterns ([#​20312](https://github.com/eslint/eslint/issues/20312)) (Tanuj Kanti) - [`4b5dbcd`](https://github.com/eslint/eslint/commit/4b5dbcdae52c1c16293dc68028cab18ed2504841) docs: reorder v10 migration guide ([#​20315](https://github.com/eslint/eslint/issues/20315)) (Milos Djermanovic) - [`5d84a73`](https://github.com/eslint/eslint/commit/5d84a7371d01ead1b274600c055fe49150d487f1) docs: Update README (GitHub Actions Bot) - [`37c8863`](https://github.com/eslint/eslint/commit/37c8863088a2d7e845d019f68a329f53a3fe2c35) docs: fix incorrect anchor link in v10 migration guide ([#​20299](https://github.com/eslint/eslint/issues/20299)) (Pixel998) - [`077ff02`](https://github.com/eslint/eslint/commit/077ff028b6ce036da091d2f7ed8c606c9d017468) docs: add migrate-to-10.0.0 doc ([#​20143](https://github.com/eslint/eslint/issues/20143)) (唯然) - [`3822e1b`](https://github.com/eslint/eslint/commit/3822e1b768bb4a64b72b73b5657737a6ee5c8afe) docs: Update README (GitHub Actions Bot) ##### Build Related - [`9f08712`](https://github.com/eslint/eslint/commit/9f0871236e90ec78bcdbfa352cc1363b4bae5596) Build: changelog update for 10.0.0-rc.2 (Jenkins) - [`1e2c449`](https://github.com/eslint/eslint/commit/1e2c449701524b426022fde19144b1d22d8197b0) Build: changelog update for 10.0.0-rc.1 (Jenkins) - [`c4c72a8`](https://github.com/eslint/eslint/commit/c4c72a8d996dda629e85e78a6ef5417242594b5d) Build: changelog update for 10.0.0-rc.0 (Jenkins) - [`7e4daf9`](https://github.com/eslint/eslint/commit/7e4daf93d255ed343d68e999aad167bb20e5a96b) Build: changelog update for 10.0.0-beta.0 (Jenkins) - [`a126a2a`](https://github.com/eslint/eslint/commit/a126a2ab136406017f2dac2d7632114e37e62dc2) build: add .scss files entry to knip ([#​20389](https://github.com/eslint/eslint/issues/20389)) (Francesco Trotta) - [`f5c0193`](https://github.com/eslint/eslint/commit/f5c01932f69189b260646d60b28011c55870e65d) Build: changelog update for 10.0.0-alpha.1 (Jenkins) - [`165326f`](https://github.com/eslint/eslint/commit/165326f0469dd6a9b33598a6fceb66336bb2deb5) Build: changelog update for 10.0.0-alpha.0 (Jenkins) ##### Chores - [`1ece282`](https://github.com/eslint/eslint/commit/1ece282c2286b5dc187ece2a793dbd8798f20bd7) chore: ignore `/docs/v9.x` in link checker ([#​20452](https://github.com/eslint/eslint/issues/20452)) (Milos Djermanovic) - [`034e139`](https://github.com/eslint/eslint/commit/034e1397446205e83eb341354605380195c88633) ci: add type integration test for `@html-eslint/eslint-plugin` ([#​20345](https://github.com/eslint/eslint/issues/20345)) (sethamus) - [`f3fbc2f`](https://github.com/eslint/eslint/commit/f3fbc2f60cbe2c718364feb8c3fc0452c0df3c56) chore: set `@eslint/js` version to 10.0.0 to skip releasing it ([#​20466](https://github.com/eslint/eslint/issues/20466)) (Milos Djermanovic) - [`afc0681`](https://github.com/eslint/eslint/commit/afc06817bbd0625c7b0a46bdc81c38dab0c99441) chore: remove scopeManager.addGlobals patch for typescript-eslint parser ([#​20461](https://github.com/eslint/eslint/issues/20461)) (fnx) - [`3e5a173`](https://github.com/eslint/eslint/commit/3e5a173053fe0bb3d0f29aff12eb2c19ae21aa36) refactor: use types from `@eslint/plugin-kit` ([#​20435](https://github.com/eslint/eslint/issues/20435)) (Pixel998) - [`11644b1`](https://github.com/eslint/eslint/commit/11644b1dc2bdf4c4f3a97901932e5f25c9f60775) ci: rename workflows ([#​20463](https://github.com/eslint/eslint/issues/20463)) (Milos Djermanovic) - [`2d14173`](https://github.com/eslint/eslint/commit/2d14173729ae75fe562430dd5e37c457f44bc7ac) chore: fix typos in docs and comments ([#​20458](https://github.com/eslint/eslint/issues/20458)) (o-m12a) - [`6742f92`](https://github.com/eslint/eslint/commit/6742f927ba6afb1bce6f64b9b072a1a11dbf53c4) test: add endLine/endColumn to invalid test case in no-alert ([#​20441](https://github.com/eslint/eslint/issues/20441)) (경하) - [`3e22c82`](https://github.com/eslint/eslint/commit/3e22c82a87f44f7407ff75b17b26f1ceed3edd14) test: add missing location data to no-template-curly-in-string tests ([#​20440](https://github.com/eslint/eslint/issues/20440)) (Haeun Kim) - [`b4b3127`](https://github.com/eslint/eslint/commit/b4b3127f8542c599ce2dea804b6582ebc40c993d) chore: package.json update for [@​eslint/js](https://github.com/eslint/js) release (Jenkins) - [`f658419`](https://github.com/eslint/eslint/commit/f6584191cb5cabd62f6a197339a91e1f9b3f8432) refactor: remove `raw` parser option from JS language ([#​20416](https://github.com/eslint/eslint/issues/20416)) (Pixel998) - [`2c3efb7`](https://github.com/eslint/eslint/commit/2c3efb728b294b74a240ec24c7be8137a31cf5f0) chore: remove `category` from type test fixtures ([#​20417](https://github.com/eslint/eslint/issues/20417)) (Pixel998) - [`36193fd`](https://github.com/eslint/eslint/commit/36193fd9ad27764d8e4a24ce7c7bbeeaf5d4a6ba) chore: remove `category` from formatter test fixtures ([#​20418](https://github.com/eslint/eslint/issues/20418)) (Pixel998) - [`e8d203b`](https://github.com/eslint/eslint/commit/e8d203b0d9f66e55841863f90d215fd83b7eee0f) chore: add JSX language tag validation to `check-rule-examples` ([#​20414](https://github.com/eslint/eslint/issues/20414)) (Pixel998) - [`bc465a1`](https://github.com/eslint/eslint/commit/bc465a1e9d955b6e53a45d1b5da7c632dae77262) chore: pin dependencies ([#​20397](https://github.com/eslint/eslint/issues/20397)) (renovate\[bot]) - [`703f0f5`](https://github.com/eslint/eslint/commit/703f0f551daea28767e5a68a00e335928919a7ff) test: replace deprecated rules in `linter` tests ([#​20406](https://github.com/eslint/eslint/issues/20406)) (루밀LuMir) - [`ba71baa`](https://github.com/eslint/eslint/commit/ba71baa87265888b582f314163df1d727441e2f1) test: enable `strict` mode in type tests ([#​20398](https://github.com/eslint/eslint/issues/20398)) (루밀LuMir) - [`f9c4968`](https://github.com/eslint/eslint/commit/f9c49683a6d69ff0b5425803955fc226f7e05d76) refactor: remove `lib/linter/rules.js` ([#​20399](https://github.com/eslint/eslint/issues/20399)) (Francesco Trotta) - [`6f1c48e`](https://github.com/eslint/eslint/commit/6f1c48e5e7f8195f7796ea04e756841391ada927) chore: updates for v9.39.2 release (Jenkins) - [`54bf0a3`](https://github.com/eslint/eslint/commit/54bf0a3646265060f5f22faef71ec840d630c701) ci: create package manager test ([#​20392](https://github.com/eslint/eslint/issues/20392)) (루밀LuMir) - [`3115021`](https://github.com/eslint/eslint/commit/3115021439490d1ed12da5804902ebbf8a5e574b) refactor: simplify JSDoc comment detection logic ([#​20360](https://github.com/eslint/eslint/issues/20360)) (Pixel998) - [`4345b17`](https://github.com/eslint/eslint/commit/4345b172a81e1394579ec09df51ba460b956c3b5) chore: update `@eslint-community/regexpp` to `4.12.2` ([#​20366](https://github.com/eslint/eslint/issues/20366)) (루밀LuMir) - [`772c9ee`](https://github.com/eslint/eslint/commit/772c9ee9b65b6ad0be3e46462a7f93c37578cfa8) chore: update dependency [@​eslint/eslintrc](https://github.com/eslint/eslintrc) to ^3.3.3 ([#​20359](https://github.com/eslint/eslint/issues/20359)) (renovate\[bot]) - [`0b14059`](https://github.com/eslint/eslint/commit/0b14059491d830a49b3577931f4f68fbcfce6be5) chore: package.json update for [@​eslint/js](https://github.com/eslint/js) release (Jenkins) - [`d6e7bf3`](https://github.com/eslint/eslint/commit/d6e7bf3064be01d159d6856e3718672c6a97a8e1) ci: bump actions/checkout from 5 to 6 ([#​20350](https://github.com/eslint/eslint/issues/20350)) (dependabot\[bot]) - [`139d456`](https://github.com/eslint/eslint/commit/139d4567d4afe3f1e1cdae21769d5e868f90ef0d) chore: require mandatory headers in rule docs ([#​20347](https://github.com/eslint/eslint/issues/20347)) (Milos Djermanovic) - [`3b0289c`](https://github.com/eslint/eslint/commit/3b0289c7b605b2d94fe2d0c347d07eea4b6ba1d4) chore: remove unused `.eslintignore` and test fixtures ([#​20316](https://github.com/eslint/eslint/issues/20316)) (Pixel998) - [`a463e7b`](https://github.com/eslint/eslint/commit/a463e7bea0d18af55e5557e33691e4b0685d9523) chore: update dependency js-yaml to v4 \[security] ([#​20319](https://github.com/eslint/eslint/issues/20319)) (renovate\[bot]) - [`ebfe905`](https://github.com/eslint/eslint/commit/ebfe90533d07a7020a5c63b93763fe537120f61f) chore: remove redundant rules from eslint-config-eslint ([#​20327](https://github.com/eslint/eslint/issues/20327)) (Milos Djermanovic) - [`88dfdb2`](https://github.com/eslint/eslint/commit/88dfdb23ee541de4e9c3aa5d8a152c5980f6cc3f) test: add regression tests for message placeholder interpolation ([#​20318](https://github.com/eslint/eslint/issues/20318)) (fnx) - [`6ed0f75`](https://github.com/eslint/eslint/commit/6ed0f758ff460b7a182c8d16b0487ae707e43cc9) chore: skip type checking in `eslint-config-eslint` ([#​20323](https://github.com/eslint/eslint/issues/20323)) (Francesco Trotta) - [`1e2cad5`](https://github.com/eslint/eslint/commit/1e2cad5f6fa47ed6ed89d2a29798dda926d50990) chore: package.json update for [@​eslint/js](https://github.com/eslint/js) release (Jenkins) - [`9da2679`](https://github.com/eslint/eslint/commit/9da26798483270a2c3c490c41cbd8f0c28edf75a) chore: update `@eslint/*` dependencies ([#​20321](https://github.com/eslint/eslint/issues/20321)) (Milos Djermanovic) - [`0439794`](https://github.com/eslint/eslint/commit/043979418161e1c17becef31b1dd5c6e1b031e98) refactor: use types from [@​eslint/core](https://github.com/eslint/core) ([#​20235](https://github.com/eslint/eslint/issues/20235)) (jaymarvelz) - [`cb51ec2`](https://github.com/eslint/eslint/commit/cb51ec2d6d3b729bf02a5e6b58b236578c6cce42) test: cleanup `SourceCode#traverse` tests ([#​20289](https://github.com/eslint/eslint/issues/20289)) (Milos Djermanovic) - [`897a347`](https://github.com/eslint/eslint/commit/897a3471d6da073c1a179fa84f7a3fe72973ec45) chore: remove restriction for `type` in rule tests ([#​20305](https://github.com/eslint/eslint/issues/20305)) (Pixel998) - [`d972098`](https://github.com/eslint/eslint/commit/d9720988579734da7323fbacca4c67058651d6ff) chore: ignore prettier updates in renovate to keep in sync with trunk ([#​20304](https://github.com/eslint/eslint/issues/20304)) (Pixel998) - [`a086359`](https://github.com/eslint/eslint/commit/a0863593872fe01b5dd0e04c682450c26ae40ac8) chore: remove redundant `fast-glob` dev-dependency ([#​20301](https://github.com/eslint/eslint/issues/20301)) (루밀LuMir) - [`564b302`](https://github.com/eslint/eslint/commit/564b30215c3c1aba47bc29f948f11db5c824cacd) chore: install `prettier` as a dev dependency ([#​20302](https://github.com/eslint/eslint/issues/20302)) (michael faith) - [`8257b57`](https://github.com/eslint/eslint/commit/8257b5729d6a26f88b079aa389df4ecea4451a80) refactor: correct regex for `eslint-plugin/report-message-format` ([#​20300](https://github.com/eslint/eslint/issues/20300)) (루밀LuMir) - [`e251671`](https://github.com/eslint/eslint/commit/e2516713bc9ae62117da3f490d9cb6a9676f44fe) refactor: extract assertions in RuleTester ([#​20135](https://github.com/eslint/eslint/issues/20135)) (唯然) - [`2e7f25e`](https://github.com/eslint/eslint/commit/2e7f25e18908e66d9bd1a4dc016709e39e19a24d) chore: add `legacy-peer-deps` to `.npmrc` ([#​20281](https://github.com/eslint/eslint/issues/20281)) (Milos Djermanovic) - [`39c638a`](https://github.com/eslint/eslint/commit/39c638a9aeb7ddc353684d536bbf69d1d39380bd) chore: update eslint-config-eslint dependencies for v10 prereleases ([#​20278](https://github.com/eslint/eslint/issues/20278)) (Milos Djermanovic) - [`8533b3f`](https://github.com/eslint/eslint/commit/8533b3fa281e6ecc481083ee83e9c34cae22f31c) chore: update dependency [@​eslint/json](https://github.com/eslint/json) to ^0.14.0 ([#​20288](https://github.com/eslint/eslint/issues/20288)) (renovate\[bot]) - [`796ddf6`](https://github.com/eslint/eslint/commit/796ddf6db5c8fe3e098aa3198128f8ce3c58f8e0) chore: update dependency [@​eslint/js](https://github.com/eslint/js) to ^9.39.1 ([#​20285](https://github.com/eslint/eslint/issues/20285)) (renovate\[bot]) </details> <details> <summary>mskelton/eslint-plugin-playwright (eslint-plugin-playwright)</summary> ### [`v2.10.2`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.2) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.10.1...v2.10.2) ##### Bug Fixes - **missing-playwright-await:** Fix false positive when re-assigning awaited variable ([8cca0ac](https://github.com/mskelton/eslint-plugin-playwright/commit/8cca0ac362d9ddbce899195f1433f8d853efc3d0)), closes [#​456](https://github.com/mskelton/eslint-plugin-playwright/issues/456) - **no-duplicate-hooks:** handle anonymous describe blocks in forEach loops ([8b4ec60](https://github.com/mskelton/eslint-plugin-playwright/commit/8b4ec601a0f801dc2a8701d66f12e28102ffc934)), closes [#​459](https://github.com/mskelton/eslint-plugin-playwright/issues/459) - **valid-test-tags:** Support template literal strings ([d98a05c](https://github.com/mskelton/eslint-plugin-playwright/commit/d98a05cb51150bee283109e041e8e458f6d7bc5f)), closes [#​460](https://github.com/mskelton/eslint-plugin-playwright/issues/460) ### [`v2.10.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.10.0...v2.10.1) ##### Bug Fixes - **missing-playwright-await:** Don't flag Array.fill as missing await ([cff9640](https://github.com/mskelton/eslint-plugin-playwright/commit/cff96403204e3cac83faf2d1768e3ded1378302d)), closes [#​450](https://github.com/mskelton/eslint-plugin-playwright/issues/450) - Narrow page detection to prefer false positives ([10238e1](https://github.com/mskelton/eslint-plugin-playwright/commit/10238e173e42725a369db5ee7fb162b1ee99d790)) ### [`v2.10.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.9.0...v2.10.0) ##### Bug Fixes - **missing-playwright-await:** Fix false positive with `expect().resolves` ([352e15e](https://github.com/mskelton/eslint-plugin-playwright/commit/352e15e0e28cda5c7f7fbcd5bd6d01cf634aea3e)), closes [#​448](https://github.com/mskelton/eslint-plugin-playwright/issues/448) - Support additional promise methods ([8646e62](https://github.com/mskelton/eslint-plugin-playwright/commit/8646e62527202cf11da6c00afc7f7e376d00773f)), closes [#​444](https://github.com/mskelton/eslint-plugin-playwright/issues/444) ##### Features - **missing-playwright-await:** Add `includePageLocatorMethods` flag for checking more missing awaits ([#​438](https://github.com/mskelton/eslint-plugin-playwright/issues/438)) ([41921f8](https://github.com/mskelton/eslint-plugin-playwright/commit/41921f8509bfa90ccef91d86ed874408b60a7abb)), closes [#​159](https://github.com/mskelton/eslint-plugin-playwright/issues/159) - **no-skipped-test:** Support `disallowFixme` to optionally disable `.fixme()` annotations ([6b42fdb](https://github.com/mskelton/eslint-plugin-playwright/commit/6b42fdb5cf74c6a98b7544e2931bd157cda88e51)), closes [#​446](https://github.com/mskelton/eslint-plugin-playwright/issues/446) ### [`v2.9.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.9.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.8.0...v2.9.0) ##### Bug Fixes - **no-restricted-roles:** Catch all uses, not just on page methods ([1861fa5](https://github.com/mskelton/eslint-plugin-playwright/commit/1861fa57fd21b8d2d17cbd96238fdf5970277686)) - Support nested locators everywhere ([0e48186](https://github.com/mskelton/eslint-plugin-playwright/commit/0e48186885a8868d3163cdd2d2732c3f227056ab)) ##### Features - **no-duplicate-hooks:** Mark as recommended ([fe3ca54](https://github.com/mskelton/eslint-plugin-playwright/commit/fe3ca54178cde017388aa5d844553a9b7a9d1307)) - **no-duplicate-slow:** Mark as recommended ([2f0b67d](https://github.com/mskelton/eslint-plugin-playwright/commit/2f0b67d841dd8f091f7c8ab44a6eadb34255127b)) - **prefer-hooks-in-order:** Mark as recommended ([e8ae16e](https://github.com/mskelton/eslint-plugin-playwright/commit/e8ae16ef219ce943749b194fc972b27a0162e8cb)) - **prefer-hooks-on-top:** Mark as recommended ([5ab9296](https://github.com/mskelton/eslint-plugin-playwright/commit/5ab929677dea5263b69e2fe44a43cf711b1bbb16)) - **prefer-locator:** Mark as recommended ([fcab221](https://github.com/mskelton/eslint-plugin-playwright/commit/fcab221c092c290c8b2b851b669ea0b1774ec75c)) - **prefer-to-have-count:** Mark as recommended ([fcbf086](https://github.com/mskelton/eslint-plugin-playwright/commit/fcbf086ae637cf569530856e7690b6da85a5c5fe)) - **prefer-to-have-length:** Mark as recommended ([c6c923e](https://github.com/mskelton/eslint-plugin-playwright/commit/c6c923e6b382c1bee4de89e2cf9781511a37e7a0)) ### [`v2.8.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.8.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.7.1...v2.8.0) ##### Bug Fixes - Add missing test coverage and fix several minor bugs ([#​434](https://github.com/mskelton/eslint-plugin-playwright/issues/434)) ([e3398ec](https://github.com/mskelton/eslint-plugin-playwright/commit/e3398ec61da52de205e7c9af2896633357769f74)) - **missing-playwright-await:** Handle spread elements ([df30163](https://github.com/mskelton/eslint-plugin-playwright/commit/df3016323819f7bc335fd1841971dccc2ae64f51)), closes [#​430](https://github.com/mskelton/eslint-plugin-playwright/issues/430) - **missing-playwright-await:** Support more promise edge cases ([b4cdcbd](https://github.com/mskelton/eslint-plugin-playwright/commit/b4cdcbd010a2b4dfc7ee14ab5bdc655897389f19)) ##### Features - Auto-detect `test.extend()` fixtures and import aliases ([#​432](https://github.com/mskelton/eslint-plugin-playwright/issues/432)) ([8b22ee7](https://github.com/mskelton/eslint-plugin-playwright/commit/8b22ee7b1f7823d81bafda82e240dd51106726dd)) ### [`v2.7.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.7.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.7.0...v2.7.1) ##### Bug Fixes - **missing-playwirght-await:** Fix false positive with promise chains ([6e4f5ff](https://github.com/mskelton/eslint-plugin-playwright/commit/6e4f5ff4876c4e92542e7fde20ec5314d4b36ba5)) ### [`v2.7.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.7.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.6.1...v2.7.0) ##### Features - Support ESLint 10 ([aa5315b](https://github.com/mskelton/eslint-plugin-playwright/commit/aa5315b70cd2481d3093d27435d1938585e1de9a)), closes [#​424](https://github.com/mskelton/eslint-plugin-playwright/issues/424) ### [`v2.6.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.6.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.6.0...v2.6.1) ##### Bug Fixes - Exclude `@typescript-eslint/utils` from the bundle ([6547702](https://github.com/mskelton/eslint-plugin-playwright/commit/6547702acf8b09736f36d79a2daec0219b930986)), closes [#​425](https://github.com/mskelton/eslint-plugin-playwright/issues/425) ### [`v2.6.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.6.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.5.1...v2.6.0) ##### Bug Fixes - **docs:** consistent-spacing-between-blocks name ([#​421](https://github.com/mskelton/eslint-plugin-playwright/issues/421)) ([f2306ed](https://github.com/mskelton/eslint-plugin-playwright/commit/f2306ed279a1434beef3f5eca83ce384b848dce4)) - **valid-title:** Ignore variables we can't statically determine ([1597555](https://github.com/mskelton/eslint-plugin-playwright/commit/15975557f1e6a792a6e0ae843ae5c98496ae8f91)), closes [#​368](https://github.com/mskelton/eslint-plugin-playwright/issues/368) ##### Features - Add `no-duplicate-slow` rule ([dac9495](https://github.com/mskelton/eslint-plugin-playwright/commit/dac94950502698708f7e001f54fa7c505c20dafc)), closes [#​418](https://github.com/mskelton/eslint-plugin-playwright/issues/418) - Add `no-restricted-roles` rule ([#​422](https://github.com/mskelton/eslint-plugin-playwright/issues/422)) ([91817bf](https://github.com/mskelton/eslint-plugin-playwright/commit/91817bf63fb6b764af6e85f4968eff7165ae52a3)) - Add `require-to-pass-timeout` rule ([e620e87](https://github.com/mskelton/eslint-plugin-playwright/commit/e620e87ccf3e585a99acb500c4c635e8d1320cf8)), closes [#​345](https://github.com/mskelton/eslint-plugin-playwright/issues/345) - Add require-tags rule ([c83b13a](https://github.com/mskelton/eslint-plugin-playwright/commit/c83b13ab08cd4631129a28a44b7f1ea29b17585b)), closes [#​401](https://github.com/mskelton/eslint-plugin-playwright/issues/401) - **missing-playwright-await:** Add support for waitForResponse and other similar functions ([960be8a](https://github.com/mskelton/eslint-plugin-playwright/commit/960be8a5a7418f42a9485f8e00e71a6729c46f70)), closes [#​199](https://github.com/mskelton/eslint-plugin-playwright/issues/199) ### [`v2.5.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.5.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.5.0...v2.5.1) ##### Bug Fixes - **no-conditional-in-test:** Fix false positive for `||` ([611657c](https://github.com/mskelton/eslint-plugin-playwright/commit/611657c3cb5b932c9f261c297c4ab01d1fed4a6c)) ### [`v2.5.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.5.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.4.1...v2.5.0) ##### Bug Fixes - Fix lint ([4e8461d](https://github.com/mskelton/eslint-plugin-playwright/commit/4e8461dc5b73018d706782c729fbcce67347b7f6)) - Fix TypeScript types ([af7d870](https://github.com/mskelton/eslint-plugin-playwright/commit/af7d8702121f58eb5974b81a514470542162823c)) ##### Features - Add `enforce-consistent-spacing-between-blocks` rule ([#​411](https://github.com/mskelton/eslint-plugin-playwright/issues/411)) ([a9b78d5](https://github.com/mskelton/eslint-plugin-playwright/commit/a9b78d5d0c7a7c051d9bee85a584ca483dd22777)) - Add no-restricted-locators rule ([a65200b](https://github.com/mskelton/eslint-plugin-playwright/commit/a65200b1773b49ccafbd9a9b8a81e4e9f700bd67)), closes [#​407](https://github.com/mskelton/eslint-plugin-playwright/issues/407) - **prefer-web-first-assertions:** Support `allInnerTexts()` and `allTextContents()` ([36917a8](https://github.com/mskelton/eslint-plugin-playwright/commit/36917a86fb7e4ef49837e7657a8363d55f06e461)), closes [#​362](https://github.com/mskelton/eslint-plugin-playwright/issues/362) ### [`v2.4.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.4.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.4.0...v2.4.1) ##### Bug Fixes - **no-conditional-in-test:** allow nullish coalescing operator ([2c25b4f](https://github.com/mskelton/eslint-plugin-playwright/commit/2c25b4fe3b7d487a8cc06c43a1bf91fea3f3c7ea)), closes [#​406](https://github.com/mskelton/eslint-plugin-playwright/issues/406) ### [`v2.4.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.4.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.3.0...v2.4.0) ##### Bug Fixes - **missing-playwright-await:** prevent infinite recursion in checkValidity ([9ce346d](https://github.com/playwright-community/eslint-plugin-playwright/commit/9ce346ddde659050714bbe770363e3cbe1361c9c)) ##### Features - **expect-expect:** Support regex patterns ([#​390](https://github.com/playwright-community/eslint-plugin-playwright/issues/390)) ([fdd0253](https://github.com/playwright-community/eslint-plugin-playwright/commit/fdd025339b68173cb5aec57f83c8bc9792388be1)) ### [`v2.3.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.3.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.2.2...v2.3.0) ##### Bug Fixes - Check for test tags in titles ([377238c](https://github.com/playwright-community/eslint-plugin-playwright/commit/377238ccdecb88c8fd62abbb8dd8e89d8397236b)), closes [#​392](https://github.com/playwright-community/eslint-plugin-playwright/issues/392) ##### Features - Add no-unused-locators rule ([#​396](https://github.com/playwright-community/eslint-plugin-playwright/issues/396)) ([c0937d7](https://github.com/playwright-community/eslint-plugin-playwright/commit/c0937d72d2f102fd7531c86fb135256293e9be85)) ### [`v2.2.2`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.2.2) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.2.1...v2.2.2) ##### Bug Fixes - **prefer-web-first-assertions:** Fix false positive ([#​384](https://github.com/playwright-community/eslint-plugin-playwright/issues/384)) ([38a559e](https://github.com/playwright-community/eslint-plugin-playwright/commit/38a559e69978c19206d4a7a032f8fb4227306a11)) - **valid-test-tags:** disallow extra properties in rule options and add to recommended ([#​381](https://github.com/playwright-community/eslint-plugin-playwright/issues/381)) ([4762bbd](https://github.com/playwright-community/eslint-plugin-playwright/commit/4762bbdc13a5832266538b6fbcace391cc3aadfd)) ### [`v2.2.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.2.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.2.0...v2.2.1) ##### Features - Support addInitScript in no-unsafe-references - Add toContainClass method - Add valid-test-tags rule - Add no-wait-for-navigation rule ##### Bug Fixes - clean published package.json ([#​371](https://github.com/playwright-community/eslint-plugin-playwright/issues/371)) ([b8401e5](https://github.com/playwright-community/eslint-plugin-playwright/commit/b8401e51669c251ae31b4cdc610bdc4a0b3e9aba)), closes [#​360](https://github.com/playwright-community/eslint-plugin-playwright/issues/360) - no-conditional-in-test does not trigger for conditionals in test metadata (fixes [#​363](https://github.com/playwright-community/eslint-plugin-playwright/issues/363)) ([#​372](https://github.com/playwright-community/eslint-plugin-playwright/issues/372)) ([12b0832](https://github.com/playwright-community/eslint-plugin-playwright/commit/12b083248e50f6e23e95f7d3fbc6034672e87ba7)) - Remove no-slowed-test from recommended list ([#​348](https://github.com/playwright-community/eslint-plugin-playwright/issues/348)) ([6baec3a](https://github.com/playwright-community/eslint-plugin-playwright/commit/6baec3ac2861b6cd2c8fcb83c61d00b4e3c82128)) - Support non-awaited expressions in prefer-web-first-assertions - Allow valid locators declared as variables - Fix false positive when using allowConditional ### [`v2.2.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.2.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.1.0...v2.2.0) ##### Features - Add `no-slowed-test` rule ([#​302](https://github.com/playwright-community/eslint-plugin-playwright/issues/302)) ([53df693](https://github.com/playwright-community/eslint-plugin-playwright/commit/53df693a1c9348205d453c1b791adf4f60242f0d)), closes [#​296](https://github.com/playwright-community/eslint-plugin-playwright/issues/296) - Add support for Playwright 1.50 ([#​347](https://github.com/playwright-community/eslint-plugin-playwright/issues/347)) ([956fe62](https://github.com/playwright-community/eslint-plugin-playwright/commit/956fe626c06bd12f57a1ed6fa009421bb0ce296a)) ##### Bug Fixes - **expect-expert:** report on test function identifier rather than body ([#​337](https://github.com/playwright-community/eslint-plugin-playwright/issues/337)) ([35e37a1](https://github.com/playwright-community/eslint-plugin-playwright/commit/35e37a12fb0691f6e549b01621c75c9556121899)) - **prefer-comparison-matcher:** Fix typo in docs ([c269371](https://github.com/playwright-community/eslint-plugin-playwright/commit/c269371be2dbc4557dcd24c24e06b8db056f681a)), closes [#​343](https://github.com/playwright-community/eslint-plugin-playwright/issues/343) ### [`v2.1.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.1.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.0.1...v2.1.0) ##### Features - Add `test.fail.only` as a valid chain ([c067ad2](https://github.com/playwright-community/eslint-plugin-playwright/commit/c067ad203fba4617a9e04ee610dc0ee3d1b40f04)) ### [`v2.0.1`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.0.1) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v2.0.0...v2.0.1) ##### Bug Fixes - Fix types for native TypeScript ESM ([4c61256](https://github.com/playwright-community/eslint-plugin-playwright/commit/4c61256978556570b4f528eb2ba932ebee110609)) ### [`v2.0.0`](https://github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.0.0) [Compare Source](https://github.com/mskelton/eslint-plugin-playwright/compare/v1.8.3...v2.0.0) ##### ⚠ BREAKING CHANGES - Remove jest-playwright configs ##### Features - Remove jest-playwright configs ([ba82509](https://github.com/playwright-community/eslint-plugin-playwright/commit/ba82509db582481df8805e310b797ac710c5e37b)) ##### Bug Fixes - Fix type exports ([f566df5](https://github.com/playwright-community/eslint-plugin-playwright/commit/f566df55f139a6ef37253cbda90f28889ed768f8)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/36 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |