Latest commits for branch codeberg-10

CB/fix: set `exec/os.Cmd.WaitDelay` to non-zero value

Gusted — Wed, 09 Apr 2025 21:06:00 +0200

CB/fix: set `exec/os.Cmd.WaitDelay` to non-zero value Related to push mirror getting stuck because of ghost Git proceses.

cb/bp: avoid sorting team names for `ComposeMetas`

Gusted — Wed, 02 Apr 2025 17:45:17 +0200

cb/bp: avoid sorting team names for `ComposeMetas` - `ComposeMetas` is called to compose meta information for the markdown processer (which is called a lot), one of those information is the team names that have access to the repository. This is used to decide if a mention is a team mention or not. - The SQL query sorts the names, this is unnecessary and not required for within the processer; it does a simple `strings.Contains(teams, ","+teamName+",")`, which doesn't rely on sorted values. - Doing the SQL query with sorting against Codeberg's MariaDB took ~0.180s and without sorting took ~0.03s. Although the returned values are often a few rows (the query I tested returned 8 values) it seems that doing any sorting will create an temporary index and is mainly optimized where it has to sort a huge amount of rows. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7223 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Otto Co-authored-by: Gusted Co-committed-by: Gusted (cherry picked from commit 511148dbc3b18df56cef1dfd2f0f84b88930684c)

Update to latest Forgejo v10

Gusted — Wed, 02 Apr 2025 17:36:19 +0200

Update to latest Forgejo v10

cb/chore: lift issue and comment restriction for @joostdecock

Gusted — Wed, 02 Apr 2025 17:36:08 +0200

cb/chore: lift issue and comment restriction for @joostdecock Context: https://codeberg.org/Codeberg-e.V./Discussion/issues/129 This commit can be dropped in a few weeks.

Update module golang.org/x/net to v0.38.0 (v10.0/forgejo) (#7369)

Renovate Bot — Fri, 28 Mar 2025 13:09:56 +0000

Update module golang.org/x/net to v0.38.0 (v10.0/forgejo) (#7369) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7369 Reviewed-by: Gusted Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot

cb/fix: Drop forgejo Makefile dependency

Codeberg Build Maintainers — Tue, 25 Mar 2025 23:56:45 +0000

cb/fix: Drop forgejo Makefile dependency

Update to latest Forgejo v10

Codeberg Build Maintainers — Sun, 23 Mar 2025 23:42:40 +0000

Update to latest Forgejo v10

[v10.0/forgejo] fix: use correct input for strip slashes middleware (#7306)

forgejo-backport-action — Sat, 22 Mar 2025 17:30:28 +0000

[v10.0/forgejo] fix: use correct input for strip slashes middleware (#7306) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/7295 - The router must use the escaped path in order to ensure correct functionality (at least, that is what they say). However `req.URL.Path` shouldn't be set to the escaped path, which is fixed in this patch. - Simplify the logic and no longer try to use `rctx.RoutePath`, this is only useful if the middleware was placed after some routing parsing was done. - Resolves forgejo/forgejo#7294 - Resolves forgejo/forgejo#7292 - Add unit test ## Release notes - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/7295): use correct input for strip slashes middleware Co-authored-by: Gusted Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7306 Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action

Update module golang.org/x/net to v0.36.0 [SECURITY] (v10.0/forgejo) (#7303)

Renovate Bot — Sat, 22 Mar 2025 16:47:19 +0000

Update module golang.org/x/net to v0.36.0 [SECURITY] (v10.0/forgejo) (#7303) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | require | minor | [`v0.33.0` -> `v0.36.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.33.0...refs/tags/v0.36.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)

More information

--- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)

More information

#### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) - [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net) - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) - [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) - [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).

--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7303 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot

Update module golang.org/x/oauth2 to v0.27.0 [SECURITY] (v10.0/forgejo) (#7304)

Renovate Bot — Sat, 22 Mar 2025 15:53:21 +0000

Update module golang.org/x/oauth2 to v0.27.0 [SECURITY] (v10.0/forgejo) (#7304) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) | require | minor | [`v0.23.0` -> `v0.27.0`](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.23.0...refs/tags/v0.27.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Unexpected memory consumption during token parsing in golang.org/x/oauth2 [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) / [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488)

More information

#### Details An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. #### Severity Unknown #### References - [https://go.dev/cl/652155](https://go.dev/cl/652155) - [https://go.dev/issue/71490](https://go.dev/issue/71490) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3488) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).

--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7304 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot