From cfd4d53e3217b9b1a8650d5f09841e0d045ba0ab Mon Sep 17 00:00:00 2001 From: forgejo-release-manager Date: Mon, 9 Mar 2026 07:00:32 +0100 Subject: [PATCH] chore(release-notes): Forgejo v14.0.3 [skip ci] (#11583) https://codeberg.org/forgejo/forgejo/milestone/55554 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11583 Reviewed-by: Beowulf Co-authored-by: forgejo-release-manager Co-committed-by: forgejo-release-manager --- release-notes-published/14.0.3.md | 54 +++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 release-notes-published/14.0.3.md diff --git a/release-notes-published/14.0.3.md b/release-notes-published/14.0.3.md new file mode 100644 index 0000000000..d86e59c31e --- /dev/null +++ b/release-notes-published/14.0.3.md @@ -0,0 +1,54 @@ + + + + +## Release notes + +- Security bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11514): fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects +- User Interface bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11381) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11413)): fix(ui): hardcode sort options in search syntax hint, improve look + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11547) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11560)): fix: modals on small viewport height + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11341) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11499)): fix(ui/mde): inputs in table/link insertion modals + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11287) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11327)): fix(ui): prevent label overflow in PR CI checks on mobile +- Localization + - Updates from Codeberg Translate: [#11535](https://codeberg.org/forgejo/forgejo/pulls/11535) (backport of [#10978](https://codeberg.org/forgejo/forgejo/pulls/10978), [#11344](https://codeberg.org/forgejo/forgejo/pulls/11344)) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11570): i18n: backport of hint_with_placeholder translations +- Bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11393) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11557)): fix: extend basic auth to /v2, always include WWW-Authenticate header (#11393) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): prevent panic when importing issues from GitLab + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): prevent panic when importing releases with more than 4 release assets from GitLab + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11484)): correct re-mapping of merge-request numbers mentioned in GitLab comments + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11246) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11254)): fix: cleanup of multi-platform container images + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11164) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11166)): fix: when expanding a dynamic matrix, original 'needs' access was lost + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11179) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11220)): fix: improve SQLite "database is locked" errors by increasing default `SQLITE_TIMEOUT` + - [PR](https://codeberg.org/forgejo/forgejo/pulls/10933) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11126)): fix: use an absolute URL for compare links in atom feed +- Included for completeness but not user-facing (chores, etc.) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11581): i18n: revert zh-CN changes in 1452c3ae70 and f602b5f5ed + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11335) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11555)): fix: skip repo avatar upload when no file is selected + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11168): Update dependency go to v1.25.7 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11478) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11552)): fix: RPM registry addrepo instructions + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11542) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11551)): chore: skip sha256 repo for older git versions + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11525) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11528)): chore: add more diagnostic output to dbfs Stat error + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11527): Update dependency go to v1.25.8 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11510): Update dependency svgo to v4.0.1 [SECURITY] (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11498): Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11475): Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11415): Update dependency minimatch to v10.2.3 [SECURITY] (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11467): ci: ensure correct node version + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11464): Update module code.superseriousbusiness.org/exif-terminator to v0.11.1 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11412): chore: bump go-git/v5 indirect dependency for govulncheck + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11398): Update dependency webpack to v5.104.1 [SECURITY] (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11397): Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11245): Update module github.com/mattn/go-sqlite3 to v1.14.34 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11244): Update module code.forgejo.org/forgejo/runner/v12 to v12.6.4 (v14.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11145) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11148)): fix: don't abandon Action jobs waiting for approval + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11176) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11178)): : ensure consistent sort order in TestFeed fixture + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11134) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11135)): fix: cancel runs pending approval when a PR is closed +