## Release notes - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR - [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects - Included for completeness but not user-facing (chores, etc.) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11526): Update dependency go to v1.25.8 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11509): Update dependency svgo to v3.3.3 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11496): Update github.com/golang-jwt/jwt/v4 (indirect) to v4.5.2 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11495): Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11473): Update https://data.forgejo.org/actions/cascading-pr action to v2.3.0 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11474): Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11414): Update dependency minimatch to v10.2.3 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11396): Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11395): Update dependency webpack to v5.104.1 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11394): Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/11167): Update dependency go to v1.25.7 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/10981): Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.1 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/10982): Update https://data.forgejo.org/infrastructure/issue-action action to v1.5.0 (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/10907): Update dependency happy-dom to v20.0.2 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/10879): Update dependency happy-dom to v20 [SECURITY] (v11.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/10883) ([backported](https://codeberg.org/forgejo/forgejo/pulls/10885)): ci: tie go cache to go version and add `Makefile` to key hash