mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
64da55707f96fd89abc10349c57976bb0a8e4e4a
8423 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
64da55707f |
build(deps): bump @types/node from 24.5.2 to 24.7.2 in /website (#10835)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.5.2 to 24.7.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
4a64ff889b |
fix(website): redirect to correct release (#10864)
Quick-fix to ensure Gateway upgrades work. Fix for the script will come later. Resolves: #10860 |
||
|
Thomas Eizinger
|
5f61eaf8f2 |
feat(connlib): encode and decode DoH messages (#10857)
In order to support DoH, we need to be able to encode and decode DNS queries and responses from and to HTTP requests and responses. We therefore extend your `dns-types` crate with the required functionality. The [RFC8484](https://datatracker.ietf.org/doc/html/rfc8484) provides us with two test vectors that we can test against. Related: #4668 --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: thomaseizinger <5486389+thomaseizinger@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cf14a8694c |
fix(connlib): use system DNS resolvers to re-resolve portal URL (#10853)
In #10817, we landed a fix that allows Clients to re-resolve the portal URL every time the WebSocket connection fails. Currently, we use the active upstream resolvers for this. This can lead to a kind of deadlock in case the upstream resolver is a CIDR resource that we are not yet connected to. In that case, we'd need a connection to the portal to establish a connection to the Gateway. By always using the system resolvers for this, we avoid this circular dependency. |
||
|
Thomas Eizinger
|
3e849ae852 |
fix(gui-client): use Wayland rendering backend on Linux (#10849)
Previously, we opted into the X11 GTK backend when rendering the GUI Client's window. This is causing issues on newer Linux distributions such as Fedora 43 where Wayland is now the only available compositor. Removing the X11 GTK requires us to draw our own CSDs such as titlebars and a close button. This PR does exactly that by adding a minimalistic title bar. To make better use of the space, we move the section headers into there. |Before|After| |---|---| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-11" src="https://github.com/user-attachments/assets/9439a69b-65ba-41d6-b1f8-4448e0f80728" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-55" src="https://github.com/user-attachments/assets/7884b2cc-3d9c-4b47-9a1e-c6462aef36ab" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-16" src="https://github.com/user-attachments/assets/2cfea825-5c08-45a5-873c-5afcbc1dbf16" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-58" src="https://github.com/user-attachments/assets/43ddd7c9-ce65-42f7-b972-28c6b172b70d" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-19" src="https://github.com/user-attachments/assets/446873a7-9023-4266-9377-ea7b8b4353ee" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-01" src="https://github.com/user-attachments/assets/64439383-f33f-461d-9b4a-6b4138bd675b" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-22" src="https://github.com/user-attachments/assets/6c39e06c-1d77-471f-91f1-32a78b90a21c" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-04" src="https://github.com/user-attachments/assets/b56912cb-9c85-4b5a-9295-dae6139b25c6" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-26" src="https://github.com/user-attachments/assets/5a5d638c-15bf-4523-8466-2e0977a03e22" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-06" src="https://github.com/user-attachments/assets/ed169b52-ef86-4dc4-8f25-852da622eaa1" />| |
||
|
Thomas Eizinger
|
0008539b65 |
refactor(connlib): use dedicated UDP DNS client (#10850)
By default, DNS queries are sent over UDP by most systems. UDP is an easy to understand protocol because each packet stands by itself and at least as far as UDP is concerned, the payload is contained within a single packet. In Firezone, we receive all DNS traffic on the TUN device as IP packets. Processing the UDP packets is trivial as each query is contained within a single IP packet. For TCP, we first need to assemble the TCP stream before we can read the entire query. In case a DNS query is not for a Firezone DNS resource, we want to forward it to the specified upstream resolver, either directly from the system or - in case the specified upstream resolver is an IP resource - through the tunnel as an IP packet. Specifically, the forwarding of UDP DNS packets through the tunnel currently happens like this: IP packet -> read UDP payload -> parse DNS query -> mangle original destination IP to new upstream -> send through tunnel For TCP DNS queries, it is not quite as easy as we have to decode the incoming TCP stream first before we can parse the DNS query. Thus, when we want to then forward the query, we need to open our own TCP stream to the upstream resolver and encode the DNS query onto that stream, sending each IP packet from the TCP client through the tunnel. The difference in these designs makes several code paths in connlib hard to follow. Therefore - and despite the simplicity of DNS over UDP - we already created our own "Layer 3 UDP DNS"-client. This PR now integrates this client into the tunnel. Using this new client, we can simplify the processing of UDP DNS queries because we never have to "go back" to the original IP packet. Instead, when a DNS query needs to be forwarded to an usptream resolver through the tunnel, we simply tell the Layer 3 UDP DNS client to make a new DNS query. The processing of the resulting IP packet then happens in a different place, right next to where we also process the IP packets of the TCP DNS client. That simplifications unlocks further refactorings where we now only process DNS queries in a single place and the transport we received it over is a simple function parameter with the control flow for both of them being identical. Related: #4668 |
||
|
Thomas Eizinger
|
de7d3bff89 |
fix(connlib): re-resolve portal host on WS hiccup (#10817)
Currently, the DNS records for the portal's hostname are only resolved during startup. When the WebSocket connection fails, we try to reconnect but only with the IPs that we have previously resolved. If the local IP stack changed since then or the hostname now points to different IPs, we will run into the reconnect-timeout configured in `phoenix-channel`. To fix this, we re-resolve the portal's hostname every time the WebSocket connection fails. For the Gateway, this is easy as we can simply reuse the already existing `TokioResolver` provided by hickory. For the Client, we need to write our own DNS client on top of our socket factory abstraction to ensure we don't create a routing loop with the resulting DNS queries. To simplify things, we only send DNS queries over UDP. Those are not guaranteed to succeed but given that we do this on every "hiccup", we already have a retry mechanism. We use the currently configured upstream DNS servers for this. Resolves: #10238 |
||
|
Thomas Eizinger
|
189c358975 |
feat(portal): add Debian/Ubuntu deployment tab (#10741)
Now that we have an APT repository for Debian / Ubuntu packages, we should also tell our users about it. We introduce a new "Debian / Ubuntu" tab on the deployments screen in the portal. The tab is selected by default as it should provide the best user experience for manually deployed Gateways: - Updates are as easy as `sudo apt upgrade` - The systemd file and token are fully managed in the background Here is what the new tab looks like: <img width="679" height="786" alt="image" src="https://github.com/user-attachments/assets/da69fc55-6a6a-476d-bed4-634dd05df8bc" /> Resolves: #10701 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
a982f0bafb |
build(deps-dev): bump typescript from 5.9.2 to 5.9.3 in /website (#10840)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.2 to 5.9.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.9.3</h2> <p>Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.</p> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-9/">release announcement</a></p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.0%22+is%3Aclosed+">fixed issues query for Typescript 5.9.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.1%22+is%3Aclosed+">fixed issues query for Typescript 5.9.1 (RC)</a>.</li> <li><em>No specific changes for TypeScript 5.9.2 (Stable)</em></li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.3%22+is%3Aclosed+">fixed issues query for Typescript 5.9.3 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c6aa971947 |
build(deps): bump fast-xml-parser from 5.2.5 to 5.3.0 in /website (#10841)
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.2.5 to 5.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p><!-- raw HTML omitted -->Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.<!-- raw HTML omitted --></p> <p><strong>5.3.1 / 2025-11-03</strong></p> <ul> <li>Performance improvement for stopNodes (By <a href="https://github.com/macieklamberski">Maciek Lamberski</a>)</li> </ul> <p><strong>5.3.0 / 2025-10-03</strong></p> <ul> <li>Use <code>Uint8Array</code> in place of <code>Buffer</code> in Parser</li> </ul> <p><strong>5.2.5 / 2025-06-08</strong></p> <ul> <li>Inform user to use <a href="https://github.com/NaturalIntelligence/fxp-cli">fxp-cli</a> instead of in-built CLI feature</li> <li>Export typings for direct use</li> </ul> <p><strong>5.2.4 / 2025-06-06</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): fix EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.3 / 2025-05-11</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): support EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.2 / 2025-05-05</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/746">#746</a>): update strnum to fix parsing issues related to enotations</li> </ul> <p><strong>5.2.1 / 2025-04-22</strong></p> <ul> <li>fix: read DOCTYPE entity value correctly</li> <li>read DOCTYPE NOTATION, ELEMENT exp but not using read values</li> </ul> <p><strong>5.2.0 / 2025-04-03</strong></p> <ul> <li>feat: support metadata on nodes (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/593">#593</a>) (By <a href="https://github.com/srl295">Steven R. Loomis</a>)</li> </ul> <p><strong>5.1.0 / 2025-04-02</strong></p> <ul> <li>feat: declare package as side-effect free (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/738">#738</a>) (By <a href="https://github.com/tbouffard">Thomas Bouffard</a>)</li> <li>fix cjs build mode</li> <li>fix builder return type to string</li> <li></li> </ul> <p><strong>5.0.9 / 2025-03-14</strong></p> <ul> <li>fix: support numeric entities with values over 0xFFFF (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/726">#726</a>) (By <a href="https://github.com/mcdurdin">Marc Durdin</a>)</li> <li>fix: update strnum to fix parsing 0 if skiplike option is used</li> </ul> <p><strong>5.0.8 / 2025-02-27</strong></p> <ul> <li>fix parsing 0 if skiplike option is used. <ul> <li>updating strnum dependency</li> </ul> </li> </ul> <p><strong>5.0.7 / 2025-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/724">#724</a>) typings for cjs.</li> </ul> <p><strong>5.0.6 / 2025-02-20</strong></p> <ul> <li>fix cli output (By <a href="https://github.com/angeld7">Angel Delgado</a>) <ul> <li>remove multiple JSON parsing</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a9058c7f55 |
build(deps): bump known-folders from 1.3.1 to 1.4.0 in /rust (#10831)
Bumps [known-folders](https://github.com/artichoke/known-folders-rs) from 1.3.1 to 1.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/artichoke/known-folders-rs/releases">known-folders's releases</a>.</em></p> <blockquote> <h2>v1.4.0</h2> <h2>What's Changed</h2> <ul> <li>Bump thor from 1.3.2 to 1.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/85">artichoke/known-folders-rs#85</a></li> <li>Bump rubocop from 1.77.0 to 1.79.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/86">artichoke/known-folders-rs#86</a></li> <li>Bump the gha-deps group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/87">artichoke/known-folders-rs#87</a></li> <li>Use zizmor audit action by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/88">artichoke/known-folders-rs#88</a></li> <li>Bump rubocop from 1.79.1 to 1.81.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/89">artichoke/known-folders-rs#89</a></li> <li>Bump the gha-deps group with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/91">artichoke/known-folders-rs#91</a></li> <li>Relax windows-sys version requirement, prepare for v1.4.0 release by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/92">artichoke/known-folders-rs#92</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0">https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e9fcb20564 |
build(deps): bump nu-ansi-term from 0.50.1 to 0.50.3 in /rust (#10830)
Bumps [nu-ansi-term](https://github.com/nushell/nu-ansi-term) from 0.50.1 to 0.50.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nushell/nu-ansi-term/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
6e85638360 |
chore(connlib): silence hickory_resolver (#10848)
Logs from the `hickory_resolver` module are a bit noisy, so filter those out from our logs. |
||
|
Thomas Eizinger
|
49b7701536 |
ci: promote preview .deb to stable on release (#10846)
The current CI job expects the release to have the `.deb` files attached. Since writing that workflow, I've changed my mind on attaching the `.deb` files there. Instead, they are only uploaded to the repository. Without documentation on how to use them, these `.deb` files are unlikely to provide a good user experience. We change the job to instead promote the latest "preview` archives to the stable repo. |
||
|
Jamil
|
bd2abbaae3 |
feat(apple): config to hide resource list (#10824)
Adds a configuration variable `hideResourceList` accessible by provisioning profile only to hide or show the Resource list. This is helpful when end-users need not be concerned with the resources available to their account. Also updates the associated ProfileManifests, docs, and a little bit of housekeeping around `configuration`, making it public for direct access. <img width="292" height="228" alt="Screenshot 2025-11-09 at 9 12 47 PM" src="https://github.com/user-attachments/assets/a4ce5586-bf92-4ebc-bc0d-51215e1efd61" /> Related: https://github.com/ProfileManifests/ProfileManifests/pull/839 Fixes: #10808 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Firezone Bot
|
5ae2707719 | chore: publish gateway 1.4.18 (#10823) | ||
|
Thomas Eizinger
|
3022c019e1 |
chore(connlib): set user.account_slug for Sentry logs (#10815)
By default, the Sentry SDK doesn't include custom user attributes when it sends logs. To make viewing logs easier, we add the `account_slug` attribute to all logs that are posted to Sentry. |
||
|
Thomas Eizinger
|
166b0d1573 |
feat(linux): compute device ID from /etc/machine-id (#10805)
All of our Linux applications have a soft-dependency on systemd. That is, in the default configuration, we expect systemd to be present on the machine. The only exception here are the docker containers for Headless Client and Gateway. For the GUI client in particular, systemd is a hard-dependency in order to control DNS on the system which we do via `systemd-resolved`. To secure the communication between the GUI client and its tunnel process, we automatically create a group called `firezone-client` to which the user gets added. All members of the group are allowed to access the unix socket which is used for IPC between the two processes. Membership in this group is also a prerequisite for accessing any of the configuration files. On the first launch of the GUI client on a Linux system, this presents a problem. For group membership changes to take the effect, the user needs to reboot. We say that in the documentation but it is unclear whether all users will read that thoroughly enough. To help the user, the GUI client checks for membership of the current user in the group and alerts the user via a dialog box if that isn't the case. This would all be fine if it would actually work. Unfortunately, that check ends up being too late in the process. If we aren't a member of the group, we cannot read the device ID and bail early, thus never reaching the check and terminating the process without any dialog box or user-visible error. We could attempt to fix this by shuffling around some of the startup init code. That is a sub-optimal solution however because it a) may get broken again in the future and b) it means we have to delay initialisation of telemetry until a much later point. Given that this is only a problem on Linux, a better solution is to simply not rely on the disk-based device ID at all. Instead, we can integrate with systemd and deterministically derive a device ID from the unique machine ID and a randomly chosen "app ID". For backwards-compatibility reasons, the disk-based device ID is still prioritised. For all new installs however, we will use the one based on `/etc/machine-id`. |
||
|
Thomas Eizinger
|
8651413a95 |
chore(gateway): downgrade warning if peer not found (#10814)
Logging this on WARN appears to be a bit excessive and there is not really anything we can do about it. Resolves: #10813 |
||
|
Thomas Eizinger
|
f4216710e0 |
fix(telemetry): don't append duplicate attributes in Sentry log (#10819)
When we are building the log message that is sent to Sentry, we append several attributes to mimic the formatting that we get from `tracing_subscriber::fmt`. To do that, we strip the span name from the attribute which can result in us processing the same attribute such as `cid` twice: Once from a span and once from the actual log message. In order to not append the same message twice, we check for its presence in the attributes map first. This avoids having message in Sentry such as: ``` Sampled relay cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 rid=3af15c76-9e84-46a6-90e1-63ecb2bc9f80 cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 ``` |
||
|
Thomas Eizinger
|
bc95a1f425 |
chore(snownet): log connection state on failure (#10820)
When investigating, why a connection fails it is useful to know right away, what the last connection state was, including the kind of connection, such as `PeerToPeer`, `RelayToPeer` etc. |
||
|
Thomas Eizinger
|
123c5a5d97 |
chore(connlib): always include wire::api as Sentry breadcrumb (#10821)
Sentry appends "breadcrumbs" to every error that gets sent to the backend. By default, those include the last 500 DEBUG logs. Our `phoenix_channel` module logs the incoming and outgoing messages on TRACE using the `wire::api::send` and `wire::api::recv` targets. To make debugging these easier, we always include anything on `wire::api` in the breadcrumbs. |
||
|
Thomas Eizinger
|
74bd28d25a |
ci(gui-client): fix .deb test installation (#10816)
The current test installation fails because it is operating in a headless environment without a display user. Some more testing of the `who` command showed that we can simply take the first user. That avoids `grep` which was previously failing with an exit code of 1, aborting the installation because our `postinst` script has `pipefail` set. |
||
|
Thomas Eizinger
|
3eead925fe |
chore(gui-client): tidy up postinst script (#10804)
Specifying `sudo` in the script is unnecessary as it already runs as root. Additionally, only executing `systemd-sysusers` for our config file is better because it narrows the scope of what should be done. |
||
|
Thomas Eizinger
|
f98c4dd428 |
fix(gateway): declare hard-dependency on systemd (#10803)
Several aspects of the Gateway's Debian package depend on `systemd` being present. Without it, we don't have the necessary users and files in place for the Gateway to function. With that specified, we can fail the `postinst` script (and therefore the installation) if anything in there goes wrong. |
||
|
dependabot[bot]
|
839cc4b7b3 |
build(deps): bump parking_lot from 0.12.4 to 0.12.5 in /rust (#10780)
Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.4 to 0.12.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md">parking_lot's changelog</a>.</em></p> <blockquote> <h2><code>parking_lot</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot-v0.12.4...parking_lot-v0.12.5">0.12.5</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Fixed Miri when the <code>hardware-lock-elision</code> feature is enabled (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/491">#491</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> <li>Fixed <code>RawRwLock::bump_*()</code> not releasing lock when there are multiple readers (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/471">#471</a>)</li> </ul> <h2><code>parking_lot_core</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot_core-v0.9.11...parking_lot_core-v0.9.12">0.9.12</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Switched from <code>windows-targets</code> to <code>windows-link</code>. (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/493">#493</a>)</li> <li>Replaced <code>thread-id</code> dependency with <code>std::thread::ThreadId</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/483">#483</a>)</li> <li>Added SGX implementation for <code>ThreadParker.park_until</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/481">#481</a>)</li> </ul> <h2><code>lock_api</code> - <a href="https://github.com/Amanieu/parking_lot/compare/lock_api-v0.4.13...lock_api-v0.4.14">0.4.14</a> - 2025-09-30</h2> <ul> <li>Fixed use of <code>doc_cfg</code> when building on docs.rs.</li> <li>Bumped MSRV to 1.71</li> <li>Added <code>#[track_caller]</code> where locking implementations could feasibly need to panic</li> <li>Added <code>try_map_or_err</code> to various mutex guards (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/480">#480</a>)</li> <li>Removed unnecessary build script and <code>autocfg</code> dependency (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/474">#474</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
89f0af3fd7 | fix(gateway): remove exclamation mark from sysusers.conf (#10802) | ||
|
Thomas Eizinger
|
024b1864b4 |
feat(linux): automatically add user to firezone-client group (#10787)
By checking various environment variables, we can automatically add the current user to the `firezone-client` group which allows them to connect to the IPC socket of the tunnel process. Unfortunately, they still have to create a new login session / reboot for that to be reflected. The docs update for this will follow once we have cut a release with this code in it. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Mariusz Klochowicz
|
470680cb1f |
chore(apple): Migrate to latest Xcode recommended settings (#10766)
Prompted by Xcode warning at project startup. Most of the changes are simple migrations from entitlements files to build settings, which is the recommended approach, and were done automatically by Xcode. new settings: - REGISTER_APP_GROUPS - Automatically registers app groups with provisioning profile (I had to set this manually when setting up, so it's a welcome change) - STRING_CATALOG_GENERATE_SYMBOLS - type-safe localization (no regression, we're not doing any localization currently) - ENABLE_USER_SCRIPT_SANDBOXING - sandboxing all the build scripts Note: I had to turn off the recommended `ENABLE_USER_SCRIPT_SANDBOXING` as it would interfere with our building of connlib during the build. Also: make Makefile more ergonomic to use (setup LSP config during first build) |
||
|
Thomas Eizinger
|
602844ae4a |
fix(gateway): always update translation table from DNS response (#10796)
For DNS resources, the Gateway maintains a per-peer NAT table from the client-assigned proxy IPs to the real IPs of the domain. Whenever the Client re-queries a DNS resource domain locally, we asynchronously ping the Gateway to also re-query said domain. This allows us to detect changes in the DNS records of DNS resources. To avoid breaking existing connections, the mapping between proxy IPs and real IPs is currently not updated if there are any active UDP or TCP flows for a proxy IP. This logic turns out to be unnecessarily restrictive as TCP flows can linger around for up to 2h before they timeout if they are not closed with a TCP RST. What we really need to do is always update the mapping of proxy IP <> real IP but honor existing NAT table entries when we route packets before creating new ones. This ensures that an existing connection to a previously resolved IP remains intact, even if a later DNS response for the same domain updates the mapping. At the same time, new connections (i.e. with a different source port) will immediately use the new destination IP. |
||
|
Mariusz Klochowicz
|
b5048ad779 |
refactor(apple): Convert IPCClient from actor to stateless enum (#10797)
Refactors IPCClient from an actor to a stateless enum with static methods, removing unnecessary actor isolation and instance management. - IPCClient: Actor → enum with static methods taking session parameter - Store: Removed IPCClient instance caching, added resource list caching - Store: Moved resource fetching logic from IPCClient into Store - All call sites: Updated to pass session directly to static methods Store now directly manages resource list hashing and caching via fetchResources() method, using SHA256 hash optimisation to avoid redundant updates when resource lists haven't changed. |
||
|
Mariusz Klochowicz
|
936b095391 |
chore(apple): Enable Swift 6.2 Approachable Concurrency features (#10799)
Enables SWIFT_APPROACHABLE_CONCURRENCY build setting which activates a few key Swift 6.2 concurrency features, including: 1. NonisolatedNonsendingByDefault - Makes nonisolated async functions run on the caller's executor instead of the global executor, providing more predictable performance and behaviour 2. InferIsolatedConformances - Protocol conformances automatically inherit global actor isolation, reducing annotation burden Read more: https://www.donnywals.com/what-is-approachable-concurrency-in-xcode-26/ Also bumps swift-tools-version from 6.0 to 6.2 in Package.swift to enable newer Package Manager manifest APIs. As a result of better type inference, removes 1 redundant @Sendable annotation in Store.swift: - vpnStatusChangeHandler: @MainActor closures are implicitly Sendable |
||
|
Thomas Eizinger
|
72dd7187f4 |
revert: specify systemd-resolved dependency (#10798)
I can't make the CI smoke install work with this change. Reverts firezone/firezone#10783 |
||
|
Mariusz Klochowicz
|
bf95dc45a3 |
refactor(apple): Upgrade to Swift 6.2 with concurrency checks (#10682)
This PR upgrades the Swift client from Swift 5 to Swift 6.2, addressing
all
concurrency-related warnings and runtime crashes that come with Swift
6's
strict concurrency checking.
## Swift 6 Concurrency Primer
**`actor`** - A new reference type that provides thread-safe, serialised
access to mutable state. Unlike classes, actors ensure that only one
piece of
code can access their mutable properties at a time. Access to actor
methods/properties requires await and automatically hops to the actor's
isolated executor.
**`@MainActor`** - An attribute that marks code to run on the main
thread.
Essential for UI updates and anything that touches UIKit/AppKit. When a
class/function is marked @MainActor, all its methods and properties
inherit
this isolation.
**`@Sendable`** - A protocol indicating that a type can be safely passed
across concurrency domains (between actors, tasks, etc.). Value types
(structs, enums) with Sendable stored properties are automatically
Sendable.
Reference types (classes) need explicit @unchecked Sendable if they
manage
thread-safety manually.
**`nonisolated`** - Opts out of the containing type's actor isolation.
For
example, a nonisolated method in a @MainActor class can be called from
any
thread without await. Useful for static methods or thread-safe
operations.
**`@concurrent`** - Used on closure parameters in delegate methods.
Indicates
the closure may be called from any thread, preventing the closure from
inheriting the surrounding context's actor isolation. Critical for
callbacks
from system frameworks that call from background threads.
**Data Races** - Swift 6 enforces at compile-time (and optionally at
runtime)
that mutable state cannot be accessed concurrently from multiple
threads. This
eliminates entire classes of bugs that were previously only caught
through
testing or production crashes.
## Swift Language Upgrade
- **Bump Swift 5 → 6.2**: Enabled strict concurrency checking throughout
the
codebase
- **Enable ExistentialAny (SE-0335)**: Adds compile-time safety by
making
protocol type erasure explicit (e.g., any Protocol instead of implicit
Protocol)
- **Runtime safety configuration**: Added environment variables to log
concurrency violations during development instead of crashing, allowing
gradual migration
## Concurrency Fixes
### Actor Isolation
- **TelemetryState actor** (Telemetry.swift:10): Extracted mutable
telemetry
state into a dedicated actor to eliminate data races from concurrent
access
- **SessionNotification @MainActor isolation**
(SessionNotification.swift:25):
Properly isolated the class to MainActor since it manages UI-related
callbacks
- **IPCClient caching** (IPCClient.swift): Fixed actor re-entrance
issues and
resource hash-based optimisation by caching the client instance in Store
### Thread-Safe Callbacks
- **WebAuthSession @concurrent delegate** (WebAuthSession.swift:46): The
authentication callback is invoked from a background thread by
ASWebAuthenticationSession. Marked the wrapper function as @concurrent
to
prevent MainActor inference on the completion handler closure, then
explicitly hopped back to MainActor for the session.start() call. This
fixes EXC_BAD_INSTRUCTION crashes at _dispatch_assert_queue_fail.
- **SessionNotification @concurrent delegate**
(SessionNotification.swift:131): Similarly marked the notification
delegate
method as @concurrent and used Task { @MainActor in } to safely invoke
the
MainActor-isolated signInHandler
### Sendable Conformances
- Added Sendable to Resource, Site, Token, Configuration, and other
model
types that are passed between actors and tasks
- **LogWriter immutability** (Log.swift): Made jsonData immutable to
prevent
capturing mutable variables in @Sendable closures
### Nonisolated Methods
- **Static notification display** (SessionNotification.swift:73): Marked
showSignedOutNotificationiOS() as nonisolated since it's called from the
Network Extension (different process) and only uses thread-safe APIs
Fixes #10674
Fixes #10675
|
||
|
Thomas Eizinger
|
bae38ec345 |
feat(connlib): add HTTP2 client with pluggable sockets (#10788)
Firezone's ability to tunnel all traffic on a particular Client (i.e. the Internet Resource) means we have to ensure that traffic originating from within the Firezone process does not get routed back into the tunnel. On MacOS and iOS, this is automatically taken care of for us. On all other platforms, we need to take steps to prevent these routing loops. This functionality is abstracted away using our `SocketFactory`. A socket created with such a factory is guaranteed to route its traffic outside of the tunnel. These sockets are used for the WebSocket connection to the portal, as well as for recursive UDP and TCP DNS queries. In order to support DoH, we need to also be able to send HTTPS requests without causing packet loops. This PR adds a new crate `http-client` that does exactly that. It composes together `hyper` and `rustls` such that the configured `SocketFactory` is used to create the TCP socket for the underlying HTTP2 connection. Consequently, HTTPS requests made with this library will automatically be routed outside of the tunnel, assuming the `SocketFactory` is adequately configured. Right now, this crate just stands by itself. It will be integrated into connlib at a later point. Resolves: #10774 Related: #4668 Related: #10272 |
||
|
Thomas Eizinger
|
b8b52c1f07 |
fix(portal): do not allow ports for upstream DNS servers (#10772)
DNS servers are standarised to be contacted on port 53. This is also hard-coded within `connlib` when we contact an upstream server. As such, we should disallow users inputting any custom port for upstream DNS servers. Luckily - or perhaps because it doesn't presently work - no users in production have actually put in a port. Resolves: #8330 |
||
|
Thomas Eizinger
|
352a83bbb0 |
refactor(connlib): allow creating multiple layer 4 DNS servers (#10763)
Within Firezone, there are multiple components that deal with DNS queries. Two of those components are the `l4-udp-dns-server` and `l4-tcp-dns-server`. Both of them are responsible for receiving DNS queries on layer 4, i.e. UDP or TCP. In other words, they do _not_ operate on an IP level (which would be layer 3) but instead use `UdpSocket` and `TcpListener` to receive queries and sent back responses. Right now, the interfaces of these crates are designed for the usecase of receiving forwarded DNS queries from the CLient on the Gateway's TUN device. This is a special-case of DNS resolution. When receiving a TXT or SRV query for a domain that is covered by a DNS resources, Firezone Client's will forward that query to the corresponding Gateway and resolve it in its network context. SRV and TXT records are commonly used for service discovery and as such, should be resolved in the network context of the service, i.e. the site that assigned to the resource. For that usecase, it made sense to allow each DNS server to listen on 1 IPv4 and 1 IPv6 address. Since then, our event-loop has evolved a bit, being able to handle multiple inputs at once. As such, we can simplify the API of these crates to only listen on a single address and instead create multiple instances of them inside `Io`. Depending on how the design of our DNS implementation for the Clients evolves, this may be used to listen on multiple IPs later (e.g. from the `127.0.0.0/8` subnet). Related: #8263 |
||
|
Thomas Eizinger
|
804ef7a3fb |
fix(connlib): retain order of system/upstream DNS servers (#10773)
Right now, connlib hands out a `BiMap` of sentinel IPs <> upstream servers whenever it emits a `TunInterfaceUpdated` event. This `BiMap` internally uses two `HashMap`s. The iteration order of `HashMap`s is non-deterministic and therefore, we lose the order in which the upstream / system resolvers have been passed to us originally. To prevent that, we now emit a dedicated `DnsMapping` type that does not expose its internal data structure but only getters for retrieving the sentinel and upstream servers. Internally, it uses a `Vec` to store this mapping and thus retains the original order. This is asserted as part of our proptests by comparing the resulting `Vec`s. This fix is preceded by a few refactorings that encapsulate the code for creating and updating this DNS mapping. Resolves: #8439 |
||
|
Thomas Eizinger
|
1b7313622a |
feat(connlib): introduce l3-udp-dns-client (#10764)
With #8263, we will stop receiving UDP and TCP DNS queries on the tunnel but use regular sockets instead. This means that for UDP DNS queries that need to be sent _through_ the tunnel, we actually need to make new IP packets again. For TCP, we already have a crate that does this for us because there, we need to manage an entire TCP stack. For UDP, the story is a bit simpler but there are still a few things involved. In particular, we need to set a source address for the packets and we need to sample a new random port for each query. The crate added in this PR does exactly that. It is not yet used anywhere but split out into a separate PR to reduce the reviewing burden of the larger refactor. Related: #8263 Related: #10758 |
||
|
Thomas Eizinger
|
9e33e514c4 |
chore(linux): specify systemd-resolved dependency (#10783)
On Ubuntu, this should be the default anyway and already be installed but to be correct, we should list this dependency in the `depends` section of our `.deb`. That way, it will automatically get installed again if a user chooses to install the GUI client from our repository and doesn't have `systemd-resolved` installed. |
||
|
Jamil
|
0f73ec18ab | fix(website): azure app id json structure (#10785) | ||
|
dependabot[bot]
|
b5c420bd5b |
build(deps): bump serde_with from 3.14.0 to 3.15.0 in /rust (#10777)
Bumps [serde_with](https://github.com/jonasbb/serde_with) from 3.14.0 to 3.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jonasbb/serde_with/releases">serde_with's releases</a>.</em></p> <blockquote> <h2>serde_with v3.15.0</h2> <h3>Added</h3> <ul> <li> <p>Added error inspection to <code>VecSkipError</code> and <code>MapSkipError</code> by <a href="https://github.com/michelhe"><code>@michelhe</code></a> (<a href="https://redirect.github.com/jonasbb/serde_with/issues/878">#878</a>) This allows interacting with the previously hidden error, for example for logging. Checkout the newly added example to both types.</p> </li> <li> <p>Allow documenting the types generated by <code>serde_conv!</code>. The <code>serde_conv!</code> macro now acceps outer attributes before the optional visibility modifier. This allow adding doc comments in the shape of <code>#[doc = "..."]</code> or any other attributes, such as lint modifiers.</p> <pre lang="rust"><code>serde_conv!( #[doc = "Serialize bools as string"] #[allow(dead_code)] pub BoolAsString, bool, |x: &bool| ::std::string::ToString::to_string(x), |x: ::std::string::String| x.parse() ); </code></pre> </li> <li> <p>Add support for <code>hashbrown</code> v0.16 (<a href="https://redirect.github.com/jonasbb/serde_with/issues/877">#877</a>)</p> <p>This extends the existing support for <code>hashbrown</code> v0.14 and v0.15 to the newly released version.</p> </li> </ul> <h3>Changed</h3> <ul> <li>Bump MSRV to 1.76, since that is required for <code>toml</code> dev-dependency.</li> </ul> <h2>serde_with v3.14.1</h2> <h3>Fixed</h3> <ul> <li>Show macro expansion in the docs.rs generated rustdoc. Since macros are used to generate trait implementations, this is useful to understand the exact generated code.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6d60653bac |
build(deps): bump gat-lending-iterator from 0.1.6 to 0.1.7 in /rust (#10776)
Bumps [gat-lending-iterator](https://github.com/Crazytieguy/gat-lending-iterator) from 0.1.6 to 0.1.7. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Crazytieguy/gat-lending-iterator/commits/v0.1.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
5bf8482826 |
build(deps): bump com.google.firebase.appdistribution from 5.1.1 to 5.2.0 in /kotlin/android (#10781)
Bumps com.google.firebase.appdistribution from 5.1.1 to 5.2.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
f6aa499711 |
build(deps): bump com.google.firebase:firebase-bom from 34.4.0 to 34.5.0 in /kotlin/android (#10782)
Bumps com.google.firebase:firebase-bom from 34.4.0 to 34.5.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
9016ffc9dc |
build(rust): bump to Rust 1.91.0 (#10767)
Rust 1.91 has been released and brings with it a few new lints that we need to tidy up. In addition, it also stabilizes `BTreeMap::extract_if`: A really nifty std-lib function that allows us to conditionally take elements from a map. We need that in a bunch of places. |
||
|
dependabot[bot]
|
21846b81e5 |
build(deps): bump vite from 7.1.7 to 7.1.11 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10769)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.1.7 to 7.1.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v7.1.11</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.10</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.9</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.8</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v7.1.10...v7.1.11">7.1.11</a> (2025-10-20)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li><strong>dev:</strong> trim trailing slash before <code>server.fs.deny</code> check (<a href="https://redirect.github.com/vitejs/vite/issues/20968">#20968</a>) (<a href=" |
||
|
dependabot[bot]
|
1ac1bb044a |
build(deps): bump the sentry group in /rust with 2 updates (#10727)
Bumps the sentry group in /rust with 2 updates: [sentry](https://github.com/getsentry/sentry-rust) and [sentry-tracing](https://github.com/getsentry/sentry-rust). Updates `sentry` from 0.42.0 to 0.43.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/releases">sentry's releases</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>The <code>Response</code> context can now be attached to events, to include information about HTTP responses such as headers, cookies and status code.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's changelog</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
20c40312dd | chore(website): add entra sync domain association (#10771) | ||
|
dependabot[bot]
|
a426ee2608 |
build(deps): bump the react group in /rust/gui-client with 2 updates (#10722)
Bumps the react group in /rust/gui-client with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router). Updates `@types/react` from 19.1.13 to 19.1.15 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `react-router` from 7.9.1 to 7.9.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.9.3</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p> <h2>v7.9.2</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.9.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>Do not try to use <code>turbo-stream</code> to decode CDN errors that never reached the server (<a href="https://redirect.github.com/remix-run/react-router/pull/14385">#14385</a>)</p> <ul> <li>We used to do this but lost this check with the adoption of single fetch</li> </ul> </li> <li> <p>Fix Data Mode regression causing a 404 during initial load in when <code>middleware</code> exists without any <code>loader</code> functions (<a href="https://redirect.github.com/remix-run/react-router/pull/14393">#14393</a>)</p> </li> </ul> <h2>7.9.2</h2> <h3>Patch Changes</h3> <ul> <li> <ul> <li>Update client-side router to run client <code>middleware</code> on initial load even if no loaders exist (<a href="https://redirect.github.com/remix-run/react-router/pull/14348">#14348</a>)</li> <li>Update <code>createRoutesStub</code> to run route middleware <ul> <li>You will need to set the <code><RoutesStub future={{ v8_middleware: true }} /></code> flag to enable the proper <code>context</code> type</li> </ul> </li> </ul> </li> <li> <p>Update Lazy Route Discovery manifest requests to use a singular comma-separated <code>paths</code> query param instead of repeated <code>p</code> query params (<a href="https://redirect.github.com/remix-run/react-router/pull/14321">#14321</a>)</p> <ul> <li>This is because Cloudflare has a hard limit of 100 URL search param key/value pairs when used as a key for caching purposes</li> <li>If more that 100 paths were included, the cache key would be incomplete and could produce false-positive cache hits</li> </ul> </li> <li> <p>[UNSTABLE] Add <code>fetcher.unstable_reset()</code> API (<a href="https://redirect.github.com/remix-run/react-router/pull/14206">#14206</a>)</p> </li> <li> <p>Made useOutlet element reference have stable identity in-between route chages (<a href="https://redirect.github.com/remix-run/react-router/pull/13382">#13382</a>)</p> </li> <li> <p>feat: enable full transition support for the rsc router (<a href="https://redirect.github.com/remix-run/react-router/pull/14362">#14362</a>)</p> </li> <li> <p>In RSC Data Mode, handle SSR'd client errors and re-try in the browser (<a href="https://redirect.github.com/remix-run/react-router/pull/14342">#14342</a>)</p> </li> <li> <p>Support <code>middleware</code> prop on <code><Route></code> for usage with a data router via <code>createRoutesFromElements</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14357">#14357</a>)</p> </li> <li> <p>Handle encoded question mark and hash characters in ancestor splat routes (<a href="https://redirect.github.com/remix-run/react-router/pull/14249">#14249</a>)</p> </li> <li> <p>Fail gracefully on manifest version mismatch logic if <code>sessionStorage</code> access is blocked (<a href="https://redirect.github.com/remix-run/react-router/pull/14335">#14335</a>)</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |