mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
a80a9cbe2d2cba3bebb61ec644146560aff87da7
8143 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
a80a9cbe2d |
build(deps): bump the lifecycle group in /kotlin/android with 3 updates (#10433)
Bumps the lifecycle group in /kotlin/android with 3 updates: androidx.lifecycle:lifecycle-runtime-ktx, androidx.lifecycle:lifecycle-viewmodel-ktx and androidx.lifecycle:lifecycle-livedata-ktx. Updates `androidx.lifecycle:lifecycle-runtime-ktx` from 2.9.2 to 2.9.4 Updates `androidx.lifecycle:lifecycle-viewmodel-ktx` from 2.9.2 to 2.9.4 Updates `androidx.lifecycle:lifecycle-livedata-ktx` from 2.9.2 to 2.9.4 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Jamil
|
2e0517ed7b |
feat(api): GET /account API (#10302)
By customer request, it would be helpful to expose an endpoint to retrieve current account / billing details like seats used and other usage-based metrics. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
685acdac3a |
feat: add more specific component type to user-agent header (#10457)
In order to allow the portal to more easily classify, what kind of component is connecting, we extend the `get_user_agent` header to include a component type instead of the generic `connlib/`. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
da768d6a70 |
chore(website): remove cust logo (#10464)
Due to contractual obligations |
||
|
Thomas Eizinger
|
9865e03343 |
ci: fix double symmetric NAT test failure (#10410)
As it turns out, the flaky test was caused by a bug in the eBPF kernel where we read the old channel data header from the wrong offset. This made us essentially read garbage data for the channel number, causing us to: a. Compute a bad checksum b. Send the packet on a completely wrong channel The reason this caused a flaky test is that it requires on side to pick IPv4 to talk to the relay and the other side IPv6. The happy-eyeballs approach of the `allocation` module made that non-deterministic, only exposing this bug occasionally. To ensure these kind of things are detected earlier in the future, I am adding an additional CI step that checks all packets emitted by the eBPF kernel for checksum errors. Fixes: #10404 Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
6147110198 |
feat(website): bump max team users to 500 (#10459)
Related: https://app.hubspot.com/live-messages/23723443/inbox/9728566686 |
||
|
dependabot[bot]
|
12986ebbcc |
build(deps): bump mixpanel-browser from 2.67.0 to 2.69.1 in /website (#10443)
Bumps [mixpanel-browser](https://github.com/mixpanel/mixpanel-js) from 2.67.0 to 2.69.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mixpanel/mixpanel-js/releases">mixpanel-browser's releases</a>.</em></p> <blockquote> <h2>rrweb upgrade and stricter disable_persistence</h2> <ul> <li>Upgraded rrweb to use a Mixpanel-maintained fork containing performance fixes from the rrweb team (<a href="https://github.com/mixpanel/rrweb">https://github.com/mixpanel/rrweb</a>)</li> <li>Added additional handling for <code>disable_persistence</code> so that sessionStorage and IndexedDB are not modified</li> <li>Fixed TypeScript imports for custom builds</li> </ul> <h2>Rage-Click detection and other updates</h2> <p>This release adds support for Rage-Click tracking as part of the Autocapture subsystem. It is enabled in the default autocapture config, and can also be controlled explicitly with the <code>rage_click</code> autocapture init option.</p> <p>Other updates include:</p> <ul> <li>Session Recording now blocks <code><audio></code> tags by default</li> <li>A new Feature-Flag method <code>flags.update_context()</code> facilitates updating context variables and refetching variants</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/mixpanel/mixpanel-js/commits">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~jakub.grz">jakub.grz</a>, a new releaser for mixpanel-browser since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
d51b716e9c |
build(deps): bump ex_cldr from 2.42.0 to 2.43.0 in /elixir (#10431)
Bumps [ex_cldr](https://github.com/elixir-cldr/cldr) from 2.42.0 to 2.43.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/elixir-cldr/cldr/releases">ex_cldr's releases</a>.</em></p> <blockquote> <h2>Cldr version 2.43.0</h2> <h3>Deprecations</h3> <ul> <li> <p>Deprecate <code>Cldr.Timezone.fetch/1</code> in favor of <code>Cldr.Timezone.fetch_short_zone/1</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.get/1</code> in favor of <code>Cldr.Timezone.get_short_zone/1</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.timezones_for_territory/0</code> in favor of <code>Cldr.Timezone.timezones_by_territory/0</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.validate_timezone/1</code> in favor of <code>Cldr.Timezone.validate_short_zone/1</code></p> </li> </ul> <h3>Enhancements</h3> <ul> <li> <p>Adds metazone, metazone mapping and primary zone data to the build process. This data supports timezone name localisation for a future release of <a href="https://github.com/elixir-cldr/cldr_dates_times">ex_cldr_dates_times</a>. See the <a href="https://github.com/orgs/elixir-cldr/discussions/258">github discussion</a> for more background.</p> <ul> <li>Adds <code>Cldr.Config.metazones/0</code></li> <li>Adds <code>Cldr.Config.metazone_mapping/0</code></li> <li>Adds <code>Cldr.Config.metazone_ids/0</code></li> <li>Adds <code>Cldr.Config.primary_zones/0</code></li> </ul> </li> <li> <p>Adds <code>Cldr.Timezone.canonical_timezones/0</code> to return the mapping of IANA long timezone names to their canonical equivalent.</p> </li> <li> <p>Adds <code>Cldr.Timezone.canonical_timezone/1</code> to return the canonical timezone name for a given IANA long timezone name, or <code>{:error, "Etc/Unknown"}</code>.</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/elixir-cldr/cldr/blob/main/CHANGELOG.md">ex_cldr's changelog</a>.</em></p> <blockquote> <h2>Cldr v2.43.0</h2> <p>This is the changelog for Cldr v2.43.0 released on August 25th, 2025. For older changelogs please consult the release tag on <a href="https://github.com/elixir-cldr/cldr/tags">GitHub</a></p> <h3>Deprecations</h3> <ul> <li> <p>Deprecate <code>Cldr.Timezone.fetch/1</code> in favor of <code>Cldr.Timezone.fetch_short_zone/1</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.get/1</code> in favor of <code>Cldr.Timezone.get_short_zone/1</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.timezones_for_territory/0</code> in favor of <code>Cldr.Timezone.timezones_by_territory/0</code></p> </li> <li> <p>Deprecate <code>Cldr.Timezone.validate_timezone/1</code> in favor of <code>Cldr.Timezone.validate_short_zone/1</code></p> </li> </ul> <h3>Enhancements</h3> <ul> <li> <p>Adds metazone, metazone mapping and primary zone data to the build process. This data supports timezone name localisation for a future release of <a href="https://github.com/elixir-cldr/cldr_dates_times">ex_cldr_dates_times</a>. See the <a href="https://github.com/orgs/elixir-cldr/discussions/258">github discussion</a> for more background.</p> <ul> <li>Adds <code>Cldr.Config.metazones/0</code></li> <li>Adds <code>Cldr.Config.metazone_mapping/0</code></li> <li>Adds <code>Cldr.Config.metazone_ids/0</code></li> <li>Adds <code>Cldr.Config.primary_zones/0</code></li> </ul> </li> <li> <p>Adds <code>Cldr.Timezone.canonical_timezones/0</code> to return the mapping of IANA long timezone names to their canonical equivalent.</p> </li> <li> <p>Adds <code>Cldr.Timezone.canonical_timezone/1</code> to return the canonical timezone name for a given IANA long timezone name, or <code>{:error, "Etc/Unknown"}</code>.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2acdbf6e9e |
build(deps): bump pre-commit from 4.2.0 to 4.3.0 in /.github (#10430)
Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 4.2.0 to 4.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pre-commit/pre-commit/releases">pre-commit's releases</a>.</em></p> <blockquote> <h2>pre-commit v4.3.0</h2> <h3>Features</h3> <ul> <li><code>language: docker</code> / <code>language: docker_image</code>: detect rootless docker. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3446">#3446</a> PR by <a href="https://github.com/matthewhughes934"><code>@matthewhughes934</code></a>.</li> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/1243">#1243</a> issue by <a href="https://github.com/dkolepp"><code>@dkolepp</code></a>.</li> </ul> </li> <li><code>language: julia</code>: avoid <code>startup.jl</code> when executing hooks. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3496">#3496</a> PR by <a href="https://github.com/ericphanson"><code>@ericphanson</code></a>.</li> </ul> </li> <li><code>language: dart</code>: support latest dart versions which require a higher sdk lower bound. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3507">#3507</a> PR by <a href="https://github.com/bc-lee"><code>@bc-lee</code></a>.</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md">pre-commit's changelog</a>.</em></p> <blockquote> <h1>4.3.0 - 2025-08-09</h1> <h3>Features</h3> <ul> <li><code>language: docker</code> / <code>language: docker_image</code>: detect rootless docker. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3446">#3446</a> PR by <a href="https://github.com/matthewhughes934"><code>@matthewhughes934</code></a>.</li> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/1243">#1243</a> issue by <a href="https://github.com/dkolepp"><code>@dkolepp</code></a>.</li> </ul> </li> <li><code>language: julia</code>: avoid <code>startup.jl</code> when executing hooks. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3496">#3496</a> PR by <a href="https://github.com/ericphanson"><code>@ericphanson</code></a>.</li> </ul> </li> <li><code>language: dart</code>: support latest dart versions which require a higher sdk lower bound. <ul> <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3507">#3507</a> PR by <a href="https://github.com/bc-lee"><code>@bc-lee</code></a>.</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
40aba05742 |
build(deps): bump actions/checkout from 4 to 5 (#10440)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2238">actions/checkout#2238</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v5.0.0">https://github.com/actions/checkout/compare/v4...v5.0.0</a></p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> <li>Prepare release v4.3.0 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2237">actions/checkout#2237</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/motss"><code>@motss</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li><a href="https://github.com/mouismail"><code>@mouismail</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li><a href="https://github.com/benwells"><code>@benwells</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v4.3.0">https://github.com/actions/checkout/compare/v4...v4.3.0</a></p> <h2>v4.2.2</h2> <h2>What's Changed</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.1...v4.2.2">https://github.com/actions/checkout/compare/v4.2.1...v4.2.2</a></p> <h2>v4.2.1</h2> <h2>What's Changed</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Jcambass"><code>@Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1919">actions/checkout#1919</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.0...v4.2.1">https://github.com/actions/checkout/compare/v4.2.0...v4.2.1</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
928bb89822 |
build(deps): bump oban from 2.19.4 to 2.20.1 in /elixir (#10437)
Bumps [oban](https://github.com/oban-bg/oban) from 2.19.4 to 2.20.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/oban-bg/oban/releases">oban's releases</a>.</em></p> <blockquote> <h2>v2.20.0</h2> <p>This release brings a fantastic new helper function, an optional migration to aid pruning, some stability improvements, and a bevy of documentation updates.</p> <h2>🦋 Update Job</h2> <p>This introduces the <code>Oban.update_job/2,3</code> function to simplify updating existing jobs while ensuring data consistency and safety. Previously, updating jobs required manually constructing change operations or complex queries that could lead to race conditions or invalid state changes.</p> <p>Only a curated subset of job fields, e.g. <code>:args</code>, <code>:max_attempts</code>, <code>:meta</code>, etc. may be updated and they use the same validation rules as insertion to prevent invalid data. Updates are also wrapped in a transaction with locking clauses to prevent concurrent modifications.</p> <p>The function supports direct map changes:</p> <pre lang="elixir"><code>Oban.update_job(job, %{priority: 0, tags: ["urgent"]}) </code></pre> <p>It also has a convenient function-based mode for dynamic changes:</p> <pre lang="elixir"><code>Oban.update_job(job, fn job -> %{meta: Map.put(job.meta, "processed_by", current_node())} end) </code></pre> <h2>❄️ Unique State Groups</h2> <p>There are now named unique state groups to replace custom state lists for unique jobs, promoting better uniqueness design and reducing configuration errors.</p> <p>Previously, developers had to manually specify lists of job states for uniqueness, which was error-prone and could lead to subtle bugs when states were omitted or incorrectly combined. The new predefined groups ensure correctness and consistency across applications.</p> <p>The new state groups are:</p> <ul> <li><strong><code>:all</code></strong> - All job states</li> <li><strong><code>:incomplete</code></strong> - Jobs that haven't finished (<code>~w(available scheduled executing retryable)a</code>)</li> <li><strong><code>:scheduled</code></strong> - Only scheduled jobs (<code>[:scheduled]</code>)</li> <li><strong><code>:successful</code></strong> - Jobs that completed successfully (<code>~w(available scheduled executing retryable completed)a</code>)</li> </ul> <p>These groups eliminate the risk of accidentally creating incomplete or incorrect state lists that could allow duplicate jobs to be created when they shouldn't be, or prevent valid job creation when duplicates should be allowed.</p> <h2>🪺 Nested Plugin Supervision</h2> <p>Plugins and the internal Stager are now nested within a secondary supervision tree to improve system resilience and stability.</p> <p>Previously, plugins were supervised directly under the main Oban supervisor alongside core process. This meant that plugin failures could potentially impact the entire Oban system, and frequent plugin restarts could trigger cascading failures in the primary supervision tree.</p> <p>The new supervisor has more lenient restart limits to allow for more plugin restart attempts before giving up. This change makes Oban more robust in production environments where plugins may experience transient failures due to database or connectivity issues.</p> <h2>v2.20.0 — 2025-08-13</h2> <h3>Enhancements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/oban-bg/oban/blob/main/CHANGELOG.md">oban's changelog</a>.</em></p> <blockquote> <h2>v2.20.1 — 2025-08-15</h2> <h3>Bug Fixes</h3> <ul> <li> <p>[Worker] Handle missing fields in unique Worker validation.</p> <p>Workers that specified <code>keys</code> without <code>fields</code> would fail validation at compile time. Now default values are considered for <code>use Oban.Worker</code> as well as <code>Job.new/2</code>.</p> </li> </ul> <h2>v2.20.0 — 2025-08-13</h2> <h3>Enhancements</h3> <ul> <li> <p><code>Migration</code> Add V13 migration for indexing cancelled and discarded states.</p> <p>A new V13 migration adds compound indexes to significantly improve <code>Oban.Plugins.Pruner</code> performance when cleaning up <code>discarded</code> and <code>cancelled</code> jobs. This is especially beneficial for applications that process large volumes of jobs and retain them for extended periods.</p> </li> <li> <p><code>Repo</code> Expose dynamic repo switching as <code>with_dynamic_repo/2</code></p> <p>The function was previously internal, which made impossible to use in external modules or extend upon. Now custom plugins and extensions can use <code>Repo.with_dynamic_repo/2</code> to use the configured dynamic repo options.</p> </li> </ul> <h3>Bug Fixes</h3> <ul> <li> <p>[Oban] Allow <code>insert_all/1,3</code> via Oban facade</p> <p>The <code>insert_all/1</code> and <code>insert_all/3</code> function variants were missing from the generated Oban facade functions when using a named instance.</p> </li> <li> <p>[Testing] Generate correct <code>perform_job/1,2,3</code> clauses.</p> <p>The <code>perform_job/2,3</code> clauses generated by <code>use Oban.Testing</code> didn't handle the <code>perform_job/2</code> variant designed to run jobs created with <code>build_job/3</code>. This caused test failures when trying to execute jobs built using the <code>build_job/3</code> helper function.</p> <p>The fix generates the missing <code>perform_job/2</code> clause along with a convenient <code>perform_job/1</code> variant, ensuring all testing scenarios work seamlessly regardless of how jobs are constructed.</p> </li> <li> <p>[Testing] Restrict inline execution to <code>available</code> and <code>scheduled</code> states.</p> <p>Jobs in the <code>completed</code> state or other non-runnable states were incorrectly attempted by the inline engine, potentially causing errors or unexpected behavior during testing.</p> </li> <li> <p>[Worker] Disallow <code>:keys</code> when <code>:fields</code> doesn't contain <code>:args</code> or <code>:meta</code></p> <p>Unique job configurations using <code>:keys</code> were allowed even when <code>:fields</code> didn't include <code>:args</code> or <code>:meta</code>, which would result in runtime errors since keys can only extract values from these</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
916b9ee51f |
build(deps): bump next from 15.4.7 to 15.5.0 in /website (#10441)
Bumps [next](https://github.com/vercel/next.js) from 15.4.7 to 15.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v15.5.0</h2> <h3>Core Changes</h3> <ul> <li>Use and enforce exhaustive switch statements for work unit store: <a href="https://redirect.github.com/vercel/next.js/issues/81577">#81577</a></li> <li>Enable <code>@typescript-eslint/switch-exhaustiveness-check</code> rule: <a href="https://redirect.github.com/vercel/next.js/issues/81583">#81583</a></li> <li>[dynamicIO] use RSC dynamicness to control partial vs complete PPR result: <a href="https://redirect.github.com/vercel/next.js/issues/81627">#81627</a></li> <li>[dynamicIO] Do not use <code>React.unstable_postpone()</code>: <a href="https://redirect.github.com/vercel/next.js/issues/81652">#81652</a></li> <li>feat: new detachable panel UI: <a href="https://redirect.github.com/vercel/next.js/issues/81483">#81483</a></li> <li>Turbopack: content-hash PageLoaderAsset: <a href="https://redirect.github.com/vercel/next.js/issues/81450">#81450</a></li> <li>[segment explorer] fix content overflow styling: <a href="https://redirect.github.com/vercel/next.js/issues/81649">#81649</a></li> <li>Improve reliability of owner stacks for async I/O errors: <a href="https://redirect.github.com/vercel/next.js/issues/81501">#81501</a></li> <li>fix(router): Prevent redirect loop on root data requests with basePath: <a href="https://redirect.github.com/vercel/next.js/issues/81096">#81096</a></li> <li>Ensure custom NextServer config is honored: <a href="https://redirect.github.com/vercel/next.js/issues/81681">#81681</a></li> <li>Fix before interactive incorrectly render css: <a href="https://redirect.github.com/vercel/next.js/issues/81146">#81146</a></li> <li>perf: memorize exclude function in webpack config: <a href="https://redirect.github.com/vercel/next.js/issues/81525">#81525</a></li> <li>Also enforce experimental features when there's no next config file: <a href="https://redirect.github.com/vercel/next.js/issues/81679">#81679</a></li> <li>feat(next/image): warn when <code>images.qualities</code> is undefined: <a href="https://redirect.github.com/vercel/next.js/issues/81690">#81690</a></li> <li>feat(build): optimize filterUniqueParamsCombinations to generate sub-combinations: <a href="https://redirect.github.com/vercel/next.js/issues/81321">#81321</a></li> <li>Update NextAdapter type and re-export: <a href="https://redirect.github.com/vercel/next.js/issues/81692">#81692</a></li> <li>upgrade to path-to-regexp@6.3.0: <a href="https://redirect.github.com/vercel/next.js/issues/80123">#80123</a></li> <li>[metadata] replace for initial body icon case: <a href="https://redirect.github.com/vercel/next.js/issues/81688">#81688</a></li> <li>[segment explorer] remove dev panel ui flag: <a href="https://redirect.github.com/vercel/next.js/issues/81670">#81670</a></li> <li>Simplify running test apps locally with <code>ppr</code> or <code>dynamicIO</code> enabled: <a href="https://redirect.github.com/vercel/next.js/issues/81668">#81668</a></li> <li>[turbopack] Return cached Promise from <code>__turbopack_load_by_url__ </code>: <a href="https://redirect.github.com/vercel/next.js/issues/81663">#81663</a></li> <li>Upgrade React from <code>97cdd5d3-20250710</code> to <code>2f0e7e57-20250715</code>: <a href="https://redirect.github.com/vercel/next.js/issues/81678">#81678</a></li> <li>Delete unused <code>renderToString</code> function: <a href="https://redirect.github.com/vercel/next.js/issues/81707">#81707</a></li> <li>Discard prerendered route handler data from FS cache after revalidation: <a href="https://redirect.github.com/vercel/next.js/issues/81611">#81611</a></li> <li>Upgrade React from <code>2f0e7e57-20250715</code> to <code>d85ec5f5-20250716</code>: <a href="https://redirect.github.com/vercel/next.js/issues/81708">#81708</a></li> <li>Ignore pending revalidations during prerendering: <a href="https://redirect.github.com/vercel/next.js/issues/81621">#81621</a></li> <li>[turbopack] Clear chunk cache on HMR instead of creating new <code>next-server</code> VM: <a href="https://redirect.github.com/vercel/next.js/issues/81664">#81664</a></li> <li>fix: rootParams should throw in client when fallbackParams are not present: <a href="https://redirect.github.com/vercel/next.js/issues/81711">#81711</a></li> <li>perf(build): optimize buildAppStaticPaths performance and add helper function: <a href="https://redirect.github.com/vercel/next.js/issues/81386">#81386</a></li> <li>Turbopack: Support string without options for <code>@next/mdx</code>: <a href="https://redirect.github.com/vercel/next.js/issues/81713">#81713</a></li> <li>[Segment Cache] Support dynamic head prefetching: <a href="https://redirect.github.com/vercel/next.js/issues/81677">#81677</a></li> <li>[sourcemaps] Consistent cursor columns: <a href="https://redirect.github.com/vercel/next.js/issues/81375">#81375</a></li> <li>fix: revert client segment route changes for sub shell generation: <a href="https://redirect.github.com/vercel/next.js/issues/81731">#81731</a></li> <li>fix: pages router metadata bugs with React 19: <a href="https://redirect.github.com/vercel/next.js/issues/81733">#81733</a></li> <li>Improve error handling for <code>headers</code>/<code>cookies</code>/<code>draftMode</code> in <code>'use cache'</code>: <a href="https://redirect.github.com/vercel/next.js/issues/81716">#81716</a></li> <li>[devtool] fix duplicate rendered indicator on server: <a href="https://redirect.github.com/vercel/next.js/issues/81729">#81729</a></li> <li>[devtool] enable segment explorer by default: <a href="https://redirect.github.com/vercel/next.js/issues/81737">#81737</a></li> <li>[turbopack] Stop exposing globals from Turbopack runtime: <a href="https://redirect.github.com/vercel/next.js/issues/81727">#81727</a></li> <li>Remove unnecessary await: <a href="https://redirect.github.com/vercel/next.js/issues/81761">#81761</a></li> <li>[chore] bump zod to latest v3: <a href="https://redirect.github.com/vercel/next.js/issues/81757">#81757</a></li> <li>feat(turbopack): Log anonymized internal error (panic) information to telemetry: <a href="https://redirect.github.com/vercel/next.js/issues/81272">#81272</a></li> <li>fix: revert client segment route changes for sub shell generation: <a href="https://redirect.github.com/vercel/next.js/issues/81740">#81740</a></li> <li>bugfix: static resources staleTime should be renewed once refetched: <a href="https://redirect.github.com/vercel/next.js/issues/81771">#81771</a></li> <li>[devtool] move font styling to global.css: <a href="https://redirect.github.com/vercel/next.js/issues/81782">#81782</a></li> <li>[devtool] copy decoded info of error details: <a href="https://redirect.github.com/vercel/next.js/issues/81735">#81735</a></li> <li>fix(build): add sourcePage context for PPR dynamic route lambda creation: <a href="https://redirect.github.com/vercel/next.js/issues/81781">#81781</a></li> <li>refactor: rename experimental.dynamicIO to experimental.cacheComponents: <a href="https://redirect.github.com/vercel/next.js/issues/81562">#81562</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
69dd7a5c67 |
build(deps): bump amannn/action-semantic-pull-request from 5.5.3 to 6.1.1 (#10444)
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.3 to 6.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/amannn/action-semantic-pull-request/releases">amannn/action-semantic-pull-request's releases</a>.</em></p> <blockquote> <h2>v6.1.1</h2> <h2><a href="https://github.com/amannn/action-semantic-pull-request/compare/v6.1.0...v6.1.1">6.1.1</a> (2025-08-22)</h2> <h3>Bug Fixes</h3> <ul> <li>Parse <code>headerPatternCorrespondence</code> properly (<a href="https://redirect.github.com/amannn/action-semantic-pull-request/issues/295">#295</a>) (<a href=" |
||
|
dependabot[bot]
|
809cfff0bc |
build(deps): bump docker/login-action from 3.4.0 to 3.5.0 in /.github/actions/ghcr-docker-login (#10447)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v3.5.0</h2> <ul> <li>Support dual-stack endpoints for AWS ECR by <a href="https://github.com/Spacefish"><code>@Spacefish</code></a> <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/874">docker/login-action#874</a> <a href="https://redirect.github.com/docker/login-action/pull/876">docker/login-action#876</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.57.0 to 0.62.1 in <a href="https://redirect.github.com/docker/login-action/pull/870">docker/login-action#870</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/login-action/pull/875">docker/login-action#875</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.4.0...v3.5.0">https://github.com/docker/login-action/compare/v3.4.0...v3.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e9d1d127bf |
build(deps): bump actions/cache from 4.2.3 to 4.2.4 in /.github/actions/setup-elixir (#10449)
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v4.2.4</h2> <h2>What's Changed</h2> <ul> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1620">actions/cache#1620</a></li> <li>Upgrade <code>@actions/cache</code> to <code>4.0.5</code> and move <code>@protobuf-ts/plugin</code> to dev depdencies by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1634">actions/cache#1634</a></li> <li>Prepare release <code>4.2.4</code> by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1636">actions/cache#1636</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1620">actions/cache#1620</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4...v4.2.4">https://github.com/actions/cache/compare/v4...v4.2.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>4.2.4</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.5</li> </ul> <h3>4.2.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.3 (obfuscates SAS token in debug logs for cache entries)</li> </ul> <h3>4.2.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2</li> </ul> <h3>4.2.1</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.1</li> </ul> <h3>4.2.0</h3> <p>TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. <a href="https://github.com/actions/cache">actions/cache</a> now integrates with the new cache service (v2) APIs.</p> <p>The new service will gradually roll out as of <strong>February 1st, 2025</strong>. The legacy service will also be sunset on the same date. Changes in these release are <strong>fully backward compatible</strong>.</p> <p><strong>We are deprecating some versions of this action</strong>. We recommend upgrading to version <code>v4</code> or <code>v3</code> as soon as possible before <strong>February 1st, 2025.</strong> (Upgrade instructions below).</p> <p>If you are using pinned SHAs, please use the SHAs of versions <code>v4.2.0</code> or <code>v3.4.0</code></p> <p>If you do not upgrade, all workflow runs using any of the deprecated <a href="https://github.com/actions/cache">actions/cache</a> will fail.</p> <p>Upgrading to the recommended versions will not break your workflows.</p> <h3>4.1.2</h3> <ul> <li>Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - <a href="https://redirect.github.com/actions/cache/pull/1474">#1474</a></li> <li>Security fix: Bump braces from 3.0.2 to 3.0.3 - <a href="https://redirect.github.com/actions/cache/pull/1475">#1475</a></li> </ul> <h3>4.1.1</h3> <ul> <li>Restore original behavior of <code>cache-hit</code> output - <a href="https://redirect.github.com/actions/cache/pull/1467">#1467</a></li> </ul> <h3>4.1.0</h3> <ul> <li>Ensure <code>cache-hit</code> output is set when a cache is missed - <a href="https://redirect.github.com/actions/cache/pull/1404">#1404</a></li> <li>Deprecate <code>save-always</code> input - <a href="https://redirect.github.com/actions/cache/pull/1452">#1452</a></li> </ul> <h3>4.0.2</h3> <ul> <li>Fixed restore <code>fail-on-cache-miss</code> not working.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
039f8f5f09 |
build(deps): bump the hilt group in /kotlin/android with 5 updates (#10438)
Bumps the hilt group in /kotlin/android with 5 updates: | Package | From | To | | --- | --- | --- | | [com.google.dagger.hilt.android](https://github.com/google/dagger) | `2.57` | `2.57.1` | | [com.google.dagger:hilt-android](https://github.com/google/dagger) | `2.57` | `2.57.1` | | androidx.hilt:hilt-compiler | `1.2.0` | `1.3.0` | | [com.google.dagger:hilt-android-compiler](https://github.com/google/dagger) | `2.57` | `2.57.1` | | [com.google.dagger:hilt-android-testing](https://github.com/google/dagger) | `2.57` | `2.57.1` | Updates `com.google.dagger.hilt.android` from 2.57 to 2.57.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/dagger/releases">com.google.dagger.hilt.android's releases</a>.</em></p> <blockquote> <h2>Dagger 2.57.1</h2> <h1>Bug fixes</h1> <ul> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4734">#4734</a>: Updated Hilt's Gradle Plugin detection of AGP to maximize compatibility and avoid the confusing 'The Hilt Android Gradle plugin can only be applied to an Android project.' error when the plugin is on an Android project. (20adecbf5)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4848">#4848</a>: Set coreLibrariesVersion for the Kotlin compilation of the Hilt Gradle Plugin to further improve backwards compatibility. (00c7fc203)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4848">#4848</a>: Use api / language versions for the Kotlin compilation of the Hilt Gradle Plugin to not force projects to update to Kotlin 2.2.0, the current version used by the plugin. (58e499243)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4780">#4780</a>: Add support for the Jakarta Singleton annotation in Hilt. (ec7f76fa3)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4917">#4917</a>: Removes the explicit dependency to androidx.annotation:annotation-jvm and to a beta version of it. (092a85af0)</li> <li>Limit number of similar bindings shown in error messages to 20 (59ac2f981)</li> <li>Update wording for <a href="https://github.com/AssistedInject"><code>@AssistedInject</code></a> error to be more specific. (1702e79e0)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
94a56fc6bc |
build(deps): update aya to latest main (#10424)
We haven't updated `aya` in a while. Unfortunately, the update is not without problems. For one, the logging infrastructure changed, requiring us to drop the error details from `xdp_adjust_head`. See https://github.com/aya-rs/aya/issues/1348. Two, the `tokio` feature flag got removed but luckily that can be worked around quite easily. Resolves: #10344 |
||
|
Thomas Eizinger
|
f09232e983 |
ci: disable flaky integration test (#10427)
Until we can figure out why this is flaky, comment it out to allow for stable CI. |
||
|
Thomas Eizinger
|
aa68029a33 |
feat(gateway): use hickory resolver to resolve A/AAAA queries (#10373)
At present, the Gateway performs DNS resolution for A & AAAA queries via `libc`. The `resolve` system call only provides us with the resolved IPs but not any of the metadata around the query such as TTL. As a result, we can only cache DNS queries for a static amount of time, currently 30s. It would be more correct to cache them for their TTL instead. To do so, we re-introduce `hickory-resolver` to our codebase. Deliberately, we only use it for resolving A and AAAA records on the Gateway for now. DNS resolution for SRV & TXT records happens one layer below and uses the same infrastructure as DNS resolution on the Client. Merging this is difficult however because the Gateway still supports the control protocol of 1.3.x clients. That one requires DNS resolution prior to setting up the connection of DNS resources which means it needs to happen in the event-loop of the Gateway binary and cannot be moved into the `Tunnel` where DNS resolution for Client and SRV/TXT records happen. Once we can drop support for 1.3.x clients, this Gateway's event-loop will simplify drastically which will allow us to refactor this to a more unified approach of DNS resolution. Until then, we can at least fix the hardcoded TTL by using `hickory-resolver` in the event-loop. The functionality is guarded behind a feature-flag which - as usual - is off by default (i.e. for as long as we haven't fetched the flags). The feature flag is already configured to `true` for staging and production so we can test the new behaviour. Resolves: #8232 Related: #10385 |
||
|
Mariusz Klochowicz
|
c692efa2de |
fix(dependabot): remove anchors from dependabot config (#10422)
fix(dependabot): Remove anchors from dependabot config YAML anchors are not supported here. Also: - remove explicit major,minor and patch version cooldown periods - actually set it to 28 days (like previous PR claimed) Fixes #10378 |
||
|
Thomas Eizinger
|
683a190855 |
chore: install xdpdump in relay container (#10423)
Instead of the additional dockerfile, we can simply install the xdptools from the repository and have them available right in the relay container. |
||
|
Thomas Eizinger
|
cf837c5087 |
ci: fix build context for relay container (#10426)
The build context is taken relative from where the file is defined, meaning we first need to navigate to directories up. |
||
|
Thomas Eizinger
|
0310bafbcd |
feat(clients): gracefully close connections on shutdown (#10400)
In #10076, connlib gained the ability to gracefully close connections between peers. The Gateway already uses this when it is being gracefully shutdown such as during an upgrade. This allows Clients to immediately fail-over to a different Gateway instead of waiting for an ICE timeout. When a Client signs out, we currently just drop all the state, resulting in an ICE timeout on the Gateway ~15 seconds later. This makes it difficult for us to analyze, whether an ICE timeout in the logs presents an actual problem where a network connection got cut or whether the Client simply signed out. Whilst not water-tight, attempting to gracefully close our connections when the Client signs out is better than nothing so we implement this here. All Clients use the `Session` abstraction from `client-shared` which spawns the event-loop into a dedicated task. - For the Linux and Windows GUI client, the already present tokio runtime instance of the tunnel service is used for this. - For Android and Apple, we create a dedicated, single-threaded runtime instance for connlib. - For the headless client, we also reuse the already existing tokio runtime instance of the binary. In case of Android, Apple and the headless client, this means we need to ensure the tokio runtime instances stays alive long enough to actually complete the graceful shutdown task. We achieve this by draining the `EventStream` returned from `Session`. The `EventStream` is a wrapper around a channel connected to the event-loop. This stream only finishes once the event-loop is entirely dropped (and therefore completed the graceful shutdown) as it holds the sender-end of the channel. In case of the Linux and Windows GUI client, the runtime outlives the `Session` because it is scoped to the entire tunnel process. Therefore, no additional measures are necessary there to ensure the graceful shutdown task completes. |
||
|
Thomas Eizinger
|
1581042d10 |
ci: restart veth-config on failure (#10421)
For improved resilience, any failure during the startup of `veth-config` should restart the container and try again to attach it. |
||
|
Jamil
|
81ddf22aa0 |
fix(portal): use href for non-live routes (#10407)
When redirecting to paths that don't have LiveViews attached to them, LiveView complains and emits a warning. To reduce alarm noise this PR attempts to fix the issue. |
||
|
Thomas Eizinger
|
e6a9b7cd41 |
ci: optimise log levels (#10409)
The majority of the log levels stated in the docker-compose file are stale because those crates have long been deleted or renamed. Additionally, the `wire` logs have already been disabled in release builds, meaning we no longer need to patch them out before the perf tests. |
||
|
Thomas Eizinger
|
8e00870942 |
refactor(gateway): close connections on error (#10401)
Previously, the Gateway would only proactively close connections to its peers when it was shutdown gracefully via a SIGTERM or SIGINT signal. By copying the same design for the event-loop as I've implemented in #10400, we can now also initiate the graceful shutdown in case the event-loop exits with an error. |
||
|
Jamil
|
7b2d98263a |
fix(ci): increase service healthcheck timeout by 5s (#10398)
The API service sometimes fails to get its `/healthz` endpoint up within 10s on slow GitHub runners. To fix we increase the health check timeout by 5s. Related: https://github.com/firezone/firezone/actions/runs/17873470250/job/50831320777?pr=10396 |
||
|
Jamil
|
7ab5fee43a |
chore(portal): add remaining simple indexes (#10403)
- recreates the flows actor_group_membership index that didn't get created due to name collision with an existing index - adds missing resource_id, actor_group_id indexes on policies - removes redundant `resource_id` index on resource_connections since there's a composite index that matches already Related: #10396 |
||
|
Thomas Eizinger
|
7c326e003e |
fix(connlib): fuse event-loop future inside client session (#10399)
A `Future` in Rust should not be polled once it has been completed as that may lead to panics or otherwise undesirable behaviour. To avoid this, a `Future` can be `fuse`d which will make it return `Poll::Pending` indefinitely after it has returned `Ready`. We have received several Sentry alerts of poll-after-completion panics that I believe are all stemming from this particular code. |
||
|
Thomas Eizinger
|
88e801ad97 |
fix(gateway): re-join topic in phoenix-channel on error (#10397)
For whatever reason, we seem to sometimes lose the association with the "room" we are meant to be in in order to send messages to the portal. Without joining the right room, messages get dropped silently. To fix this, we re-join the room on such errors. Long-term, this will be fixed by ditching phoenix-channel in favor of simple HTTP requests. Related: #9649 |
||
|
Brian Manifold
|
c3e1bc8a5b |
chore(portal): add non-composite indexes (#10396)
Why: * Now that hard-delete has been rolled out, we need to make sure that all cascade deletes are efficient. Some of the foreign key references didn't have indexes but needed them. Fixes #10393 |
||
|
Thomas Eizinger
|
e20929ad73 |
build(deps): bump Rust version to 1.90 (#10380)
One of the more quiet Rust releases with no new clippy lints that would require code updates. |
||
|
Thomas Eizinger
|
9c8101a3ee |
chore: render contextual information more Sentry-friendly (#10386)
Sentry can group issues together that have unique identifiers in their message. Unfortunately, it does that only well for integers and UUIDs and not so much for hex-values. To avoid alert fatigue, we render the public key as a u256 which hopefully allows Sentry to group these together. |
||
|
Jamil
|
15283f1af5 |
feat(portal): batch_upsert and delete_unsynced functions (#10369)
In order to support the new, upcoming directory sync implementations, we need the ability to batch upsert auth_identities, actors, actor_groups, and actor_group_memberships. We also need the ability to delete entities that were not upserted at the tail end of a sync job iteration in order to remove entities that are no longer in the directory. To support this, we add these functions and related tests here. Related: #6294 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
b72963d62b |
fix(ci): migrate with manual migrations (#10389)
In
|
||
|
Jamil
|
5f4d2c14ea |
fix(ci): use correct index module name (#10383)
This gets redefined twice which could lead to indexes failing to run properly. |
||
|
Jamil
|
378586b057 |
fix(apple): sentry hang tracking for singleton (#10382)
Trying to knock out some low-hanging Sentry alert fruit. Fixes #10381 |
||
|
Jamil
|
bfac486df5 |
refactor(portal): use list comprehensions in cache (#10376)
Elixir's [list comprehensions](https://hexdocs.pm/elixir/comprehensions.html) are more concise and [often faster](https://stackoverflow.com/questions/55038704/elixir-enum-map-vs-for-comprehension) (~2x) than using multiple Enum.filter and Enum.map calls. Since I was in these modules debugging possible a race condition for #10375, I decided to go ahead and update some of these hot functions to use the more modern approach. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
8b2bf97513 |
fix(ci): RUN_MANUAL_MIGRATIONS=true (#10377)
This variable was renamed and not updated in our docker-compose.yml, causing intermittent errors like this one: https://github.com/firezone/firezone/actions/runs/17835644646/job/50712540454 |
||
|
Firezone Bot
|
8f46007674 | chore: publish android-client 1.5.4 (#10374) | ||
|
Jamil
|
bfbdec1ea9 |
chore(android): tidy up AuthViewModel (#10372)
- removes unused authFlowLaunched var - store long authUrl in val |
||
|
Jamil
|
f2ff5dfeca |
fix(android): launch auth in CustomTab (#10371)
Unfortunately, Firefox on Android seems to have a bug where it only allows one tab to intercept the custom URI scheme handler for our auth redirect. This causes an issue where the first sign in works, but subsequent ones do not because that first tab is still open. Luckily the fix here is quite simple. By using Android's CustomTabs to launch the activity, only one, sandboxed instance is ever open and the URI intercept works reliably. Both Firefox and Chrome (and likely other browsers) support CustomTabs, which means the user's default browser is used, allowing cookies, password managers, etc to be used. Related to this, this PR also fixes a bug where dismissing the launched auth flow would result in it immediately relaunching, making it impossible to get back to the app unless you force quit or complete the sign in process. Fixes #10318 |
||
|
Thomas Eizinger
|
90d10a8634 |
refactor(connlib): improve fairness of event-loop (#10347)
The event-loop inside `Tunnel` processes input according to a certain priority. We only take input from lower priority sources when the higher priority sources are not ready. The current priorities are: - Flush all buffers - Read from UDP sockets - Read from TUN device - Read from DNS servers - Process recursive DNS queries - Check timeout The idea of this priority ordering is to keep all kinds of processing bounded and "finish" any kind of work that is on-going before taking on new work. Anything that sits in a buffer is basically done with processing and just needs to be written out to the network / device. Arriving UDP packets have already traversed the network and been encrypted on the other end, meaning they are higher priority than reading from the TUN device. Packets from the TUN device still need to be encrypted and sent to the remote. Whilst there is merit in this design, it also bears the potential of starving input sources further down if the top ones are extremely busy. To prevent this, we refactor `Io` to read from all input sources and present it to the event-loop as a batch, allowing all sources to make progress before looping around. Since this event-loop has first been conceived, we have refactored `Io` to use background threads for the UDP sockets and TUN device, meaning they will make progress by themselves anyway until the channels to the main-thread fill up. As such, there shouldn't be any latency increase in processing packets even though we are performing slightly more work per event-loop tick. This kind of batch-processing highlights a problem: Bailing out with an error midway through processing a batch leaves the remainder of the batch unprocessed, essentially dropping packets. To fix this, we introduce a new `TunnelError` type that presents a collection of errors that we encountered while processing the batch. This might actually also be a problem with what is currently in `main` because we are already batch-processing packets there but possibly are bailing out midway through the batch. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Mariusz Klochowicz <mariusz@klochowicz.com> |
||
|
Thomas Eizinger
|
3e6094af8d |
feat(linux): try to set rmem_max and wmem_max on startup (#10349)
The default send and receive buffer sizes on Linux are too small (only ~200 KB). Checking `nstat` after an iperf run revealed that the number of dropped packets in the first interval directly correlates with the number of receive buffer errors reported by `nstat`. We already try to increase the send and receive buffer sizes for our UDP socket but unfortunately, we cannot increase them beyond what the system limits them to. To workaround this, we try to set `rmem_max` and `wmem_max` during startup of the Linux headless client and Gateway. This behaviour can be disabled by setting `FIREZONE_NO_INC_BUF=true`. This doesn't work in Docker unfortunately, so we set the values manually in the CI perf tests and verify after the test that we didn't encounter any send and receive buffer errors. It is yet to be determined how we should deal with this problem for all the GUI clients. See #10350 as an issue tracking that. Unfortunately, this doesn't fix all packet drops during the first iperf interval. With this PR, we now see packet drops on the interface itself. |
||
|
Thomas Eizinger
|
7222167b13 |
fix(connlib): limit the number of optimistic candidates (#10367)
To facilitate direct connections, `connlib` generates "optimistic" candidates that combine the port of the host candidate with the IP of the server-reflexive candidate. This allows sysadmins to port-forward the Firezone port 52625 on the Gateway, allowing for direct connections to happen behind symmetric NAT. This feature is only really useful for IPv4 as IPv6 doesn't need symmetric NAT due to the larger address space. It is also quite common that users have multiple IPv6 addresses on a single interface. The combination of the two can result in CPU spikes on the Gateway if a client connects and sends over e.g. 10 IPv6 host candidates and various IPv6 server-reflexive candidates. The Gateway then ends up in a loop where it creates an NxM matrix of all these candidates. To mitigate this, we disable optimistic candidates for IPv6 altogether and limit the number of IPv4 optimistic candidates to 2. |
||
|
Thomas Eizinger
|
69afe71215 |
refactor(connlib): remove concept of "ReplyMessages" (#10361)
In earlier versions of Firezone, the WebSocket protocol with the portal was using the request-response semantics built into Phoenix. This however is quite cumbersome to work with to due to the polymorphic nature of the protocol design. We ended up moving away from it and instead only use one-way messages where each event directly corresponds to a message type. However, we have never removed the capability reply messages from the `phoenix-channel` module, instead all usages just set it to `()`. We can simplify the code here by always setting this to `()`. Resolves: #7091 |
||
|
Mariusz Klochowicz
|
b1ed2f8a5e |
chore: improve macos dev experience (#10363)
Quality of life improvements for macOS devs, mostly relevant when not using Xcode as daily driver - although some convenience functions & explicit sentry dependency should make it better there too. |
||
|
Mariusz Klochowicz
|
852a7a9484 |
chore(dependabot): Add 28-day cooldown for supply-chain security (#10365)
Configure Dependabot with a 28-day cooldown period across all package ecosystems to protect against supply-chain attacks. This ensures newly released packages undergo community vetting before adoption. Key changes: - Add 7-day cooldown for all dependency types (major, minor, patch) - Switch from monthly to weekly checks to ensure timely updates after cooldown expires - Use YAML anchors to maintain DRY configuration (we can unfold them if we need custom config) Security rationale: - Most supply-chain attacks are discovered within a few days of release - Patch versions are particularly vulnerable as they're often auto-merged with less scrutiny - Weekly checks + 28-day cooldown = roughly matching previous elixir dependency update cadence Note: Security updates bypass the cooldown and are applied immediately, ensuring critical CVEs are patched without delay |
||
|
Thomas Eizinger
|
22eac1ad6d |
ci: add latency to routers (#10352)
Now that we have a more realistic network setup in our compose file, we can extend our router containers to apply the latency on the network path. This means any use of the compose file has a latency by default, simplifying our CI setup. It also allows us to restart containers without having to re-apply the latency which is useful during performance testing. |