mirror of
https://github.com/lingble/chatwoot.git
synced 2025-10-29 02:02:27 +00:00
develop
319 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
610495123e |
chore(deps): bump rack from 3.2.2 to 3.2.3 (#12642)
Bumps rack from 3.2.2 to 3.2.3. |
||
|
Shivam Mishra
|
f89ed56258 |
feat: update rack version (#12628)
Fixes CI failing at bundle audit for a [rack vulnerability](https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c) |
||
|
Vishnu Narayanan
|
e9c1c61fe4 |
chore(deps): bump uri from 1.0.3 to 1.0.4 (#12619)
fix CVE-2025-61594 |
||
|
Muhsin Keloth
|
44fab70048 |
feat: Add support for grouped file uploads in Slack (#12454)
Fixes https://linear.app/chatwoot/issue/CW-5646/add-support-for-grouped-file-uploads-in-slack Previously, when sending multiple attachments to Slack, we uploaded them one by one. For example, sending 5 images would result in 5 separate Slack messages. This created clutter and a poor user experience, since Slack displayed each file as an individual message. This PR updates the implementation to group all attachments from a message and send them as a single Slack message. As a result, attachments now appear together in one grouped block, providing a much cleaner and more intuitive experience for users. **Before:** Each file uploaded as a separate Slack message. <img width="400" height="800" alt="before" src="https://github.com/user-attachments/assets/c8c7f666-549b-428f-bd19-c94e39ed2513" /> **After:** All files from a single message grouped and displayed together in one Slack message (similar to how Slack natively handles grouped uploads). <img width="400" height="800" alt="after" src="https://github.com/user-attachments/assets/0b1f22d5-4d37-4b84-905a-15e742317e72" /> **Changes** - Upgraded Slack file upload implementation to use the new multiple attachments API available in slack-ruby-client `v2.7.0`. - Updated attachment handling to upload all files from a message in a single API call. - Enabled proper attachment grouping in Slack, ensuring related files are presented together. |
||
|
Pranav
|
e3020fbe2c |
fix: Use case sensitive filter for phone_numbers (#12470)
The contact filter APIs were timing out due to the case‑insensitive
filter. There is no index for lower case phone numbers, so it would
perform a table scan, potentially examining 8 million records or more at
a time.
This change should fix the issue.
I am changing the filter to use direct comparison without lower‑case.
**Previous:**
```sql
SELECT contacts.*
FROM contacts
WHERE contacts.account_id = $1
AND (
LOWER(contacts.phone_number) = '<number>'
OR LOWER(contacts.phone_number) = '<other-number>'
)
ORDER BY contacts.created_at DESC NULLS LAST
LIMIT $2
OFFSET $3
```
**Updated:**
```sql
SELECT contacts.*
FROM contacts
WHERE contacts.account_id = $1
AND (
contacts.phone_number = '<number>'
OR contacts.phone_number = '<other-number>'
)
ORDER BY contacts.created_at DESC NULLS LAST
LIMIT $2
OFFSET $3
```
Fixes:
https://linear.app/chatwoot/issue/CW-5582/contact-filter-timing-out
|
||
|
Tanmay Deep Sharma
|
239c4dcb91 |
feat: MFA (#12290)
## Linear: - https://github.com/chatwoot/chatwoot/issues/486 ## Description This PR implements Multi-Factor Authentication (MFA) support for user accounts, enhancing security by requiring a second form of verification during login. The feature adds TOTP (Time-based One-Time Password) authentication with QR code generation and backup codes for account recovery. ## Type of change - [ ] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? - Added comprehensive RSpec tests for MFA controller functionality - Tested MFA setup flow with QR code generation - Verified OTP validation and backup code generation - Tested login flow with MFA enabled/disabled ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|
Shivam Mishra
|
79b93bed77 | feat: SAML authentication controllers [CW-2958] (#12319) | ||
|
Sojan Jose
|
0a9edd4c3b | ci(circleci): switch coverage reporting to Qlty orb (#12337) | ||
|
Pranav
|
0c2ab7f5e7 |
feat(ee): Setup advanced, performant message search (#12193)
We now support searching within the actual message content, email subject lines, and audio transcriptions. This enables a faster, more accurate search experience going forward. Unlike the standard message search, which is limited to the last 3 months, this search has no time restrictions. The search engine also accounts for small variations in queries. Minor spelling mistakes, such as searching for slck instead of Slack, will still return the correct results. It also ignores differences in accents and diacritics, so searching for Deja vu will match content containing Déjà vu. We can also refine searches in the future by criteria such as: - Searching within a specific inbox - Filtering by sender or recipient - Limiting to messages sent by an agent Fixes https://github.com/chatwoot/chatwoot/issues/11656 Fixes https://github.com/chatwoot/chatwoot/issues/10669 Fixes https://github.com/chatwoot/chatwoot/issues/5910 --- Rake tasks to reindex all the messages. ```sh bundle exec rake search:all ``` Rake task to reindex messages from one account only ```sh bundle exec rake search:account ACCOUNT_ID=1 ``` |
||
|
Vishnu Narayanan
|
1a1dfd09cb |
chore: add tidewave gem for development (#12236)
- add tidewave gem for development ref: https://github.com/tidewave-ai/tidewave_rails |
||
|
Sojan Jose
|
530125d4c5 |
chore(deps): upgrade twilio-ruby to 7.6.0 for upcoming features (#12243)
### Summary - Update Twilio gem to support latest features and API changes. - No app code changes; Gemfile and Gemfile.lock only. references: #11602 , #11481 ### Testing - Existing Twilio SMS: send/receive still works; delivery status updates. - Existing Twilio WhatsApp: send/receive still works; templates (if used) unaffected. - Create new Twilio SMS/WhatsApp inboxes: can be created and can send/receive messages. Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|
Vishnu Narayanan
|
75119d4a08 |
fix: switch to datadog v2 gem (#12214)
# Pull Request Template ## Description - The `0.48` version of the `ddtrace` gem was out of date, which was causing the application to crash if `DD_AGENT_URL` was configured - Switch to `datadog` gem, which is the currently maintained gem from DD Ref: https://github.com/DataDog/dd-trace-rb/releases/tag/v2.0.0 |
||
|
dependabot[bot]
|
1f03fc4dc3 |
chore(deps): bump activerecord from 7.1.5.1 to 7.1.5.2 (#12195)
Bumps [activerecord](https://github.com/rails/rails) from 7.1.5.1 to 7.1.5.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">activerecord's releases</a>.</em></p> <blockquote> <h2>7.1.5.2</h2> <h2>Active Support</h2> <ul> <li>No changes.</li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li> <p>Call inspect on ids in RecordNotFound error</p> <p>[CVE-2025-55193]</p> <p><em>Gannon McGibbon</em>, <em>John Hawthorn</em></p> </li> </ul> <h2>Action View</h2> <ul> <li>No changes.</li> </ul> <h2>Action Pack</h2> <ul> <li>No changes.</li> </ul> <h2>Active Job</h2> <ul> <li>No changes.</li> </ul> <h2>Action Mailer</h2> <ul> <li>No changes.</li> </ul> <h2>Action Cable</h2> <ul> <li>No changes.</li> </ul> <h2>Active Storage</h2> <pre><code>Remove dangerous transformations <p>[CVE-2025-24293] </code></pre></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Shivam Mishra
|
c6be04cdc1 |
feat: scenario agents & runner (#11944)
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com> |
||
|
Vishnu Narayanan
|
2a5ecf84a1 |
chore: add sidekiq_alive gem for health check endpoint (#12008)
``` ➜ chatwoot git:(feat/sidekiq-health) curl -I localhost:7433 HTTP/1.1 200 OK Server: SidekiqAlive/2.5.0 (Ruby/3.4.4) Connection: Keep-Alive Date: Tue, 22 Jul 2025 10:34:28 GMT Content-Length: 6 ➜ chatwoot git:(feat/sidekiq-health) curl localhost:7433 Alive!% ``` fixes: https://github.com/chatwoot/chatwoot/issues/10948 |
||
|
Tanmay Deep Sharma
|
d276025419 | fix: circle ci bundle audit (#12019) | ||
|
Shivam Mishra
|
b71a0da10d |
feat: scenario tools [CW-4597] (#11908)
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> |
||
|
Pranav
|
a0bf6055fc |
fix: Upgrade letter_opener to fix cannot load such file -- kconv error (#11809)
The email jobs were failing in local development due to a cannot load such file -- kconv error. This was caused by a removed dependency in the latest version of the letter_opener gem. Upgrading to the latest version resolves the issue. |
||
|
Sojan Jose
|
bc42aec68e |
chore: upgrade ruby version to 3.4.4 (#11524)
- Chore upgrade ruby version to 3.4.4 before we migrate to rails 7.2 over #11037 |
||
|
dependabot[bot]
|
16e0dbb3aa |
chore(deps): Bump rack from 2.2.13 to 2.2.14 (#11444)
Bumps [rack](https://github.com/rack/rack) from 2.2.13 to 2.2.14. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's changelog</a>.</em></p> <blockquote> <h2>[2.2.14] - 2025-05-06</h2> <h3>Security</h3> <ul> <li><a href="https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx">CVE-2025-46727</a> Unbounded parameter parsing in <code>Rack::QueryParser</code> can lead to memory exhaustion.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
948a118490 |
chore(deps): Bump net-imap from 0.4.19 to 0.4.20 (#11386)
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.4.19 to 0.4.20. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/net-imap/releases">net-imap's releases</a>.</em></p> <blockquote> <h2>v0.4.20</h2> <h2>What's Changed</h2> <p>This release backports two features to prevent unbounded memory use: the <code>response_handlers</code> keyword argument to <code>Net::IMAP.new</code> so response handlers can be added before the server can send any responses (<a href="https://redirect.github.com/ruby/net-imap/pull/427">ruby/net-imap#427</a>), and the <code>max_response_size</code> config attribute (<a href="https://redirect.github.com/ruby/net-imap/pull/445">ruby/net-imap#445</a>).</p> <blockquote> <p>[!NOTE] The default <code>max_response_size</code> is <code>nil</code> (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). <em>It is the responsibility of <code>net-imap</code> users to configure their client appropriately for the server they are connecting to.</em></p> </blockquote> <h3>Added</h3> <ul> <li>✨ Add <code>response_handlers</code> kwarg to <code>Net::IMAP.new</code> by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/427">ruby/net-imap#427</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/419">#419</a></li> </ul> </li> <li>✨ Limit max_response_size by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/445">ruby/net-imap#445</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/444">#444</a></li> </ul> </li> </ul> <h3>Documentation</h3> <ul> <li>📚 Backport documentation to v0.4 by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/426">ruby/net-imap#426</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/418">#418</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/420">#420</a>, documentation only from <a href="https://redirect.github.com/ruby/net-imap/issues/416">#416</a>, and <a href="https://redirect.github.com/ruby/net-imap/issues/424">#424</a></li> </ul> </li> </ul> <h3>Other Changes</h3> <ul> <li>♻️ Update versioned default configs by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/413">ruby/net-imap#413</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/412">#412</a></li> </ul> </li> <li>♻️ Refactor <code>get_response</code> by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/431">ruby/net-imap#431</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/422">#422</a></li> </ul> </li> <li>♻️ Rational config versions by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/430">ruby/net-imap#430</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/429">#429</a></li> </ul> </li> <li>♻️ Extract ResponseReader from get_response by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/434">ruby/net-imap#434</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/433">#433</a></li> </ul> </li> <li>♻️ Refactoring by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/436">ruby/net-imap#436</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/417">#417</a> and <a href="https://redirect.github.com/ruby/net-imap/issues/435">#435</a></li> </ul> </li> </ul> <h3>Miscellaneous</h3> <ul> <li>✅ Various test improvements to v0.4 by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/425">ruby/net-imap#425</a> <ul> <li>Backports <a href="https://redirect.github.com/ruby/net-imap/issues/414">#414</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/415">#415</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/421">#421</a>, and <code>assert_pattern</code> from minitest (originally in <a href="https://redirect.github.com/ruby/net-imap/issues/333">#333</a>)</li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/net-imap/compare/v0.4.19...v0.4.20">https://github.com/ruby/net-imap/compare/v0.4.19...v0.4.20</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2d7148931f |
chore(deps): Bump nokogiri from 1.18.4 to 1.18.8 (#11347)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.4 to 1.18.8. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.18.8 / 2025-04-21</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8">v2.13.8</a> to address CVE-2025-32414 and CVE-2025-32415. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc">GHSA-5w6v-399v-w3cc</a> for more information.</li> </ul> <!-- raw HTML omitted --> <pre><code>36badd2eb281fca6214a5188e24a34399b15d89730639a068d12931e2adc210e nokogiri-1.18.8-aarch64-linux-gnu.gem 664e0f9a77a7122a66d6c03abba7641ca610769a4728db55ee1706a0838b78a2 nokogiri-1.18.8-aarch64-linux-musl.gem 483b5b9fb33653f6f05cbe00d09ea315f268f0e707cfc809aa39b62993008212 nokogiri-1.18.8-arm64-darwin.gem 17de01ca3adf9f8e187883ed73c672344d3dbb3c260f88ffa1008e8dc255a28e nokogiri-1.18.8-arm-linux-gnu.gem 6e6d7e71fc39572bd613a82d528cf54392c3de1ba5ce974f05c832b8187a040b nokogiri-1.18.8-arm-linux-musl.gem 8c7464875d9ca7f71080c24c0db7bcaa3940e8be3c6fc4bcebccf8b9a0016365 nokogiri-1.18.8.gem 41002596960ff854198a20aaeb34cff0d445406d5ad85ba7ca9c3fd0c8f03de0 nokogiri-1.18.8-java.gem 11ab0f76772c5f2d718fb253fca5b74c6ef7628b72bbf8deba6ab1ffc93344cf nokogiri-1.18.8-x64-mingw-ucrt.gem 024cdfe7d9ae3466bba6c06f348fb2a8395d9426b66a3c82f1961b907945cc0c nokogiri-1.18.8-x86_64-darwin.gem 4a747875db873d18a2985ee2c320a6070c4a414ad629da625fbc58d1a20e5ecc nokogiri-1.18.8-x86_64-linux-gnu.gem ddd735fba49475a395b9ea793bb6474e3a3125b89960339604d08a5397de1165 nokogiri-1.18.8-x86_64-linux-musl.gem </code></pre> <h2>v1.18.7 / 2025-03-31</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.7">v2.13.7</a>, which is a bugfix release.</li> </ul> <!-- raw HTML omitted --> <pre><code>57a064ab5440814a69a0e040817bd8154adea68a30d2ff2b3aa515a6a06dbb5f nokogiri-1.18.7-aarch64-linux-gnu.gem 3e442dc5b69376e84288295fe37cbb890a21ad816a7e571e5e9967b3c1e30cd3 nokogiri-1.18.7-aarch64-linux-musl.gem 083abb2e9ed2646860f6b481a981485a658c6064caafaa81bf1cda1bada2e9d5 nokogiri-1.18.7-arm64-darwin.gem 337d9149deb5ae01022dff7c90f97bed81715fd586aacab0c5809ef933994c5e nokogiri-1.18.7-arm-linux-gnu.gem 97a26edcc975f780a0822aaf7f7d7427c561067c1c9ee56bd3542960f0c28a6e nokogiri-1.18.7-arm-linux-musl.gem 6b63ff5defe48f30d1d3b3122f65255ca91df2caf5378c6e0482ce73ff46fb31 nokogiri-1.18.7.gem 2cb83666f35619ec59d24d831bf492e49cfe27b112c222330ee929737f42f2eb nokogiri-1.18.7-java.gem 681148fbc918aa5d54933d8b48aeb9462ab708d23409797ed750af961107f72b nokogiri-1.18.7-x64-mingw-ucrt.gem 081d1aa517454ba3415304e2ea51fe411d6a3a809490d0c4aa42799cada417b7 nokogiri-1.18.7-x86_64-darwin.gem 3a0bf946eb2defde13d760f869b61bc8b0c18875afdd3cffa96543cfa3a18005 nokogiri-1.18.7-x86_64-linux-gnu.gem 9d83f8ec1fc37a305fa835d7ee61a4f37899e6ccc6dcb05be6645fa9797605af nokogiri-1.18.7-x86_64-linux-musl.gem </code></pre> <h2>v1.18.6 / 2025-03-24</h2> <h3>Fixed</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.18.8 / 2025-04-21</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8">v2.13.8</a> to address CVE-2025-32414 and CVE-2025-32415. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc">GHSA-5w6v-399v-w3cc</a> for more information.</li> </ul> <h2>v1.18.7 / 2025-03-31</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.7">v2.13.7</a>, which is a bugfix release.</li> </ul> <h2>v1.18.6 / 2025-03-24</h2> <h3>Fixed</h3> <ul> <li>[JRuby] In HTML documents, <code>Node#attribute</code> now returns the correct attribute. This has been broken, and returning <code>nil</code>, since v1.17.0. (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3487">#3487</a>) <a href="https://github.com/flavorjones"><code>@flavorjones</code></a></li> </ul> <h2>v1.18.5 / 2025-03-19</h2> <h3>Fixed</h3> <ul> <li>[JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3455">#3455</a>, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3456">#3456</a>) <a href="https://github.com/johnnyshields"><code>@johnnyshields</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
07d19362d2 |
chore(deps): Bump nokogiri from 1.18.3 to 1.18.4 (#11153)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.3 to 1.18.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.18.4 / 2025-03-14</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxslt is updated to <a href="https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43">v1.1.43</a> to address CVE-2025-24855 and CVE-2024-55549. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664">GHSA-mrxw-mxhj-p664</a> for more information.</li> </ul> <!-- raw HTML omitted --> <pre><code>8f2263cef9953ce09bd5293d76c9bbd3013d2f94d1cca67783dfe6635c529deb nokogiri-1.18.4-aarch64-linux-gnu.gem 4e231f8ba3128cfc2ef0cc0bdc807d7ce71fc62cb6a78216e817be8631fe6a96 nokogiri-1.18.4-aarch64-linux-musl.gem 73902663b23b1123282b9c0b6d9654b1fb286dfee8d65cb1f6029087b7f0d037 nokogiri-1.18.4-arm64-darwin.gem cc2945e2c19560a61a97737e6bd3b329edb1f82ca204d46a18e5e98ad0a550a6 nokogiri-1.18.4-arm-linux-gnu.gem 4fb7f44de0cd85abfa869e4cfb619410da174ebf9fbe26ae0caa65462b818bcb nokogiri-1.18.4-arm-linux-musl.gem bb7820521c1bbae1d3e0092ff03b27a8e700912b37d80f962b7e4567947a64ac nokogiri-1.18.4.gem cbc0bab72eb5a9573efa7b98351fdd44c609e8d4585456ca1be18db2b7764b64 nokogiri-1.18.4-java.gem bd567cb509eb75de8f27ca6ecaf4a38bf0563482188991f9bcccccac9c3b9a2f nokogiri-1.18.4-x64-mingw-ucrt.gem e4776f58eea9b94d05caf8bf351e3c6aa1cce01edcc2ed530f3c302c13178965 nokogiri-1.18.4-x86_64-darwin.gem b1c6407b346b88704e97a342a80acd4755175324e624da34d0c5cfdc8d34191e nokogiri-1.18.4-x86_64-linux-gnu.gem ea7c0356a70f3d2d0d76315b533877013d20368d5c9f437c38e0bd462c4844dc nokogiri-1.18.4-x86_64-linux-musl.gem </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.18.4 / 2025-03-14</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxslt is updated to <a href="https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43">v1.1.43</a> to address CVE-2025-24855 and CVE-2024-55549. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664">GHSA-mrxw-mxhj-p664</a> for more information.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Shivam Mishra
|
3a4249da11 |
feat: Add support for multi-language support for Captain (#11068)
This PR implements the following features - FAQs from conversations will be generated in account language - Contact notes will be generated in account language - Copilot chat will respond in user language, unless the agent asks the question in a different language ## Changes ### Copilot Chat - Update the prompt to include an instruction for the language, the bot will reply in asked language, but will default to account language - Update the `ChatService` class to include pass the language to `SystemPromptsService` ### FAQ and Contact note generation - Update contact note generator and conversation generator to include account locale - Pass the account locale to `SystemPromptsService` <details><summary>Screenshots</summary> #### FAQs being generated in system langauge  #### Copilot responding in system language  </details> --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> Co-authored-by: Pranav <pranav@chatwoot.com> |
||
|
Pranav
|
b34c526c51 |
feat(apps): Shopify Integration (#11101)
This PR adds native integration with Shopify. No more dashboard apps. The support agents can view the orders, their status and the link to the order page on the conversation sidebar. This PR does the following: - Create an integration with Shopify (a new app is added in the integrations tab) - Option to configure it in SuperAdmin - OAuth endpoint and the callbacks. - Frontend component to render the orders. (We might need to cache it in the future) --------- Co-authored-by: iamsivin <iamsivin@gmail.com> Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com> Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|
dependabot[bot]
|
dedd67167a |
chore(deps): Bump rack from 2.2.12 to 2.2.13 (#11056)
Bumps [rack](https://github.com/rack/rack) from 2.2.12 to 2.2.13. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's changelog</a>.</em></p> <blockquote> <h2>[2.2.13] - 2025-03-11</h2> <h3>Security</h3> <ul> <li><a href="https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v">CVE-2025-27610</a> Local file inclusion in <code>Rack::Static</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Pranav
|
d017156f32 |
fix: Disable syncing IMAP if the account is suspended (#11031)
This PR disables the IMAP syncing if the account is suspended. |
||
|
Sojan Jose
|
c1f6d9f76f | feat: Add the ability to filter items in Super Admin panel (#11020) | ||
|
Muhsin Keloth
|
429d2e5ef5 | chore(deps): Bump slack-ruby-client from 2.5.1 to 2.5.2 (#10963) | ||
|
dependabot[bot]
|
9a4c1e1fb9 |
chore(deps): Bump nokogiri from 1.18.2 to 1.18.3 (#10929)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.2 to 1.18.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.18.3 / 2025-02-18</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6">v2.13.6</a> to address CVE-2025-24928 and CVE-2024-56171. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m">GHSA-vvfq-8hwr-qm4m</a> for more information.</li> </ul> <!-- raw HTML omitted --> <pre><code>cab20305133078a8f6b60cf96311b48319175038cc7772e5ec586ff624cb7838 nokogiri-1.18.3-aarch64-linux-gnu.gem acb256bb3213a180b1ed84a49c06d5d4c6c1da26f33bc9681f1fece4dab09a79 nokogiri-1.18.3-aarch64-linux-musl.gem ce088965cd424b8e752d82087dcf017069d55791f157098ed1f671d966857610 nokogiri-1.18.3-arm64-darwin.gem 37b73a55e0d1e8a058a24abb16868903e81cb4773049739c532b864f87236b1b nokogiri-1.18.3-arm-linux-gnu.gem 09407970cd13736cf87e975fae69c13e1178bab0313d07b35580ee4dd3650793 nokogiri-1.18.3-arm-linux-musl.gem 6b9fc3b14fd0cedd21f6cad8cf565123ba7401e56b5d0aec180c23cdca28fd5a nokogiri-1.18.3.gem 236078c5f80ffc3d49c223fa98933d970543455403f9d672ca0aa5a6178a84fe nokogiri-1.18.3-java.gem 216be1cb454c4657fc64747e5ae32b2ab4015843183766f238e4f4a62fb1f6be nokogiri-1.18.3-x64-mingw-ucrt.gem d729406bb5a7b1bbe7ed3c0922336dd2c46085ed444d6de2a0a4c33950a4edea nokogiri-1.18.3-x86_64-darwin.gem 3c7ad5cee39855ed9c746065f39b584b9fd2aaff61df02d0f85ba8d671bbe497 nokogiri-1.18.3-x86_64-linux-gnu.gem 8aaecc22c0e5f12dac613e15f9a04059c3ec859d6f98f493cc831bd88fe8e731 nokogiri-1.18.3-x86_64-linux-musl.gem </code></pre> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/v1.18.3/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.18.3 / 2025-02-18</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6">v2.13.6</a> to address CVE-2025-24928 and CVE-2024-56171. Nokogiri's maintainers believe these vulnerabilities do not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Muhsin Keloth
|
031199f15a |
chore: Slack file upload changes (#10903)
The Slack `files.upload` API endpoint is deprecated and will stop functioning on March 11, 2025. In this PR, we have implemented the changes for the [new file upload](https://api.slack.com/messaging/files#uploading_files) method. |
||
|
Michael Scrivo
|
69e3926db6 |
chore(deps): Switch html2text back to rubygems (#10911)
## Description Hi! I've recently started helping maintain this gem as we use it heavily in our app as well. It's been updated to work with newer versions of nokogiri and has a few important fixes too. ## How Has This Been Tested? Assuming you already have test coverage that would cover this. ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules Co-authored-by: Sojan Jose <sojan@pepalo.com> |
||
|
dependabot[bot]
|
46c0198b6a |
chore(deps): Bump rack from 2.2.10 to 2.2.11 (#10894)
Bumps [rack](https://github.com/rack/rack) from 2.2.10 to 2.2.11. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference <a href="https://keepachangelog.com/en/1.0.0/">Keep A Changelog</a>.</p> <h2>Unreleased</h2> <h3>Added</h3> <ul> <li>Introduce <code>Rack::VERSION</code> constant. (<a href="https://redirect.github.com/rack/rack/pull/2199">#2199</a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> <li>ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (<a href="https://redirect.github.com/rack/rack/pull/2245">#2245</a>, [<a href="https://github.com/nappa"><code>@nappa</code></a>])</li> </ul> <h3>Changed</h3> <ul> <li>Invalid cookie keys will now raise an error. (<a href="https://redirect.github.com/rack/rack/pull/2193">#2193</a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> <li><code>Rack::MediaType#params</code> now handles empty strings. (<a href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> </ul> <h3>Deprecated</h3> <ul> <li><code>Rack::Auth::AbstractRequest#request</code> is deprecated without replacement. (<a href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> <li><code>Rack::Request#parse_multipart</code> (private method designed to be overridden in subclasses) is deprecated without replacement. (<a href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> </ul> <h3>Removed</h3> <ul> <li><code>Rack::Request#values_at</code> is removed. (<a href="https://redirect.github.com/rack/rack/pull/2200">#2200</a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> <li><code>Rack::Logger</code> is removed with no replacement. (<a href="https://redirect.github.com/rack/rack/pull/2196">#2196</a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> <li>Automatic cache invalidation in <code>Rack::Request#{GET,POST}</code> has been removed. (<a href="https://redirect.github.com/rack/rack/pull/2230">#2230</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> </ul> <h3>Fixed</h3> <ul> <li><code>Rack::RewindableInput::Middleware</code> no longer wraps a nil input. (<a href="https://redirect.github.com/rack/rack/pull/2259">#2259</a>, <a href="https://github.com/tt"><code>@tt</code></a>)</li> </ul> <h2>[3.1.9] - 2025-01-31</h2> <h3>Fixed</h3> <ul> <li><code>Rack::MediaType#params</code> now handles parameters without values. (<a href="https://redirect.github.com/rack/rack/pull/2263">#2263</a>, <a href="https://github.com/AllyMarthaJ"><code>@AllyMarthaJ</code></a>)</li> </ul> <h2>[3.1.8] - 2024-10-14</h2> <h3>Fixed</h3> <ul> <li>Resolve deprecation warnings about uri <code>DEFAULT_PARSER</code>. (<a href="https://redirect.github.com/rack/rack/pull/2249">#2249</a>, [<a href="https://github.com/earlopain"><code>@earlopain</code></a>])</li> </ul> <h2>[3.1.7] - 2024-07-11</h2> <h3>Fixed</h3> <ul> <li>Do not remove escaped opening/closing quotes for content-disposition filenames. (<a href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> <li>Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (<a href="https://redirect.github.com/rack/rack/pull/2227">#2227</a>, [<a href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li> <li><code>Rack::Response</code> should not generate invalid <code>content-length</code> header. (<a href="https://redirect.github.com/rack/rack/pull/2219">#2219</a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
d7c0507e33 |
chore(deps): Bump net-imap from 0.4.17 to 0.4.19 (#10871)
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.4.17 to 0.4.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/net-imap/releases">net-imap's releases</a>.</em></p> <blockquote> <h2>v0.4.19</h2> <h2>What's Changed</h2> <h3>🔒 Security Fix</h3> <p>Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending <code>APPENDUID</code> or <code>COPYUID</code> responses with very large <code>uid-set</code> ranges. <code>Net::IMAP::UIDPlusData</code> expands these ranges into arrays of integers.</p> <h4>Fix with minor API changes</h4> <p>Set <code>config.parser_use_deprecated_uidplus_data</code> to <code>false</code> to replace <code>UIDPlusData</code> with <code>AppendUIDData</code> and <code>CopyUIDData</code>. These classes store their UIDs as <code>Net::IMAP::SequenceSet</code> objects (<em>not</em> expanded into arrays of integers). Code that does not handle <code>APPENDUID</code> or <code>COPYUID</code> responses should not see any difference. Code that does handle these responses <em>may</em> need to be updated.</p> <p>For v0.3.8, this option is not available For v0.4.19, the default value is <code>true</code>. For v0.5.6, the default value is <code>:up_to_max_size</code>. For v0.6.0, the only allowed value will be <code>false</code> <em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p> <h4>Mitigate with backward compatible API</h4> <p>Adjust <code>config.parser_max_deprecated_uidplus_data_size</code> to limit the maximum <code>UIDPlusData</code> UID set size. When <code>config.parser_use_deprecated_uidplus_data == true</code>, larger sets will crash. When <code>config.parser_use_deprecated_uidplus_data == :up_to_max_size</code>, larger sets will use <code>AppendUIDData</code> or <code>CopyUIDData</code>.</p> <p>For v0.3,8, this limit is <em>hard-coded</em> to 10,000. For v0.4.19, this limit defaults to 1000. For v0.5.6, this limit defaults to 100. For v0.6.0, the only allowed value will be <code>0</code> <em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p> <h4>Please Note: unhandled responses</h4> <p>If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, <code>net-imap</code> has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:</p> <pre lang="ruby"><code>limit = 1000 imap.add_response_handler do |resp| next unless resp.respond_to?(:name) && resp.respond_to?(:data) name = resp.name code = resp.data.code&.name if resp.data.in?(Net::IMAP::ResponseText) imap.responses(name) { _1.slice!(0...-limit) } imap.responses(code) { _1.slice!(0...-limit) } end </code></pre> <h3>Added</h3> <ul> <li>🔧 ResponseParser config is mutable and non-global (backports <a href="https://redirect.github.com/ruby/net-imap/issues/381">#381</a>) by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/382">ruby/net-imap#382</a></li> <li>✨ SequenceSet ordered entries methods (backports to v0.4-stable) by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/402">ruby/net-imap#402</a> Backports the following: <ul> <li>✨ Add SequenceSet methods for querying about duplicates by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/384">ruby/net-imap#384</a></li> <li>✨ Add <code>SequenceSet#each_ordered_number</code> by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/386">ruby/net-imap#386</a></li> <li>✨ Add <code>SequenceSet#find_ordered_index</code> by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/396">ruby/net-imap#396</a></li> <li>✨ Add <code>SequenceSet#ordered_at</code> by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/397">ruby/net-imap#397</a></li> </ul> </li> <li>✨ Backport UIDPlusData, AppendUIDData, CopyUIDData to v0.4 by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/404">ruby/net-imap#404</a> Backports the following: <ul> <li>✨ Add AppendUIDData and CopyUIDData classes by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/400">ruby/net-imap#400</a></li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Pranav
|
d070743383 |
feat(ee): Add Captain features (#10665)
Migration Guide: https://chwt.app/v4/migration This PR imports all the work related to Captain into the EE codebase. Captain represents the AI-based features in Chatwoot and includes the following key components: - Assistant: An assistant has a persona, the product it would be trained on. At the moment, the data at which it is trained is from websites. Future integrations on Notion documents, PDF etc. This PR enables connecting an assistant to an inbox. The assistant would run the conversation every time before transferring it to an agent. - Copilot for Agents: When an agent is supporting a customer, we will be able to offer additional help to lookup some data or fetch information from integrations etc via copilot. - Conversation FAQ generator: When a conversation is resolved, the Captain integration would identify questions which were not in the knowledge base. - CRM memory: Learns from the conversations and identifies important information about the contact. --------- Co-authored-by: Vishnu Narayanan <vishnu@chatwoot.com> Co-authored-by: Sojan <sojan@pepalo.com> Co-authored-by: iamsivin <iamsivin@gmail.com> Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com> |
||
|
dependabot[bot]
|
ccb117d36a |
chore(deps): bump actionpack from 7.0.8.5 to 7.0.8.7 (#10569)
Bumps [actionpack](https://github.com/rails/rails) from 7.0.8.5 to 7.0.8.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actionpack's releases</a>.</em></p> <blockquote> <h2>7.0.8.7</h2> <h2>Active Support</h2> <ul> <li>No changes.</li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li>No changes.</li> </ul> <h2>Action View</h2> <ul> <li>No changes.</li> </ul> <h2>Action Pack</h2> <ul> <li> <p>Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.</p> <p>[CVE-2024-54133]</p> <p><em>Gannon McGibbon</em></p> </li> </ul> <h2>Active Job</h2> <ul> <li>No changes.</li> </ul> <h2>Action Mailer</h2> <ul> <li>No changes.</li> </ul> <h2>Action Cable</h2> <ul> <li>No changes.</li> </ul> <h2>Active Storage</h2> <ul> <li>No changes.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
50e7ceb19b |
chore(deps): bump rails-html-sanitizer from 1.6.0 to 1.6.1 (#10528)
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.6.0 to 1.6.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's releases</a>.</em></p> <blockquote> <h2>1.6.1 / 2024-12-02</h2> <p>This is a performance and security release which addresses several possible XSS vulnerabilities.</p> <ul> <li> <p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p> <p>This change addresses CVE-2024-53985 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x</a>).</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the <code>prune:</code> option value. Previously, disallowed tags were "stripped" unless the gem was configured with the <code>prune: true</code> option.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53986 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48</a>)</li> <li>CVE-2024-53987 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr</a>)</li> </ul> <p><em>Mike Dalessio</em></p> </li> <li> <p>The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53988 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5</a>)</li> <li>CVE-2024-53989 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g</a>)</li> </ul> <p>Please note that we <em>may</em> restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Improve performance by eliminating needless operations on attributes that are being removed. <a href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md">rails-html-sanitizer's changelog</a>.</em></p> <blockquote> <h2>1.6.1 / 2024-12-02</h2> <p>This is a performance and security release which addresses several possible XSS vulnerabilities.</p> <ul> <li> <p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p> <p>This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the <code>prune:</code> option value. Previously, disallowed tags were "stripped" unless the gem was configured with the <code>prune: true</code> option.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53986 (GHSA-638j-pmjw-jq48)</li> <li>CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)</li> </ul> <p><em>Mike Dalessio</em></p> </li> <li> <p>The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53988 (GHSA-cfjx-w229-hgx5)</li> <li>CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)</li> </ul> <p>Please note that we <em>may</em> restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Improve performance by eliminating needless operations on attributes that are being removed. <a href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Sojan Jose
|
94c918e468 |
chore: [Snyk] Security upgrade google-cloud-storage from 1.44.0 to 1.48.0 (#10148)
- bump up gems based on snyk security alerts |
||
|
Vishnu Narayanan
|
54afed9fb4 |
feat: add judoscaler gem for heroku autoscaling (#10419)
- add judoscaler gem to allow judoscale use in heroku environments - This will allow auto scaling for both web and worker dynos across both standard-1x/2x and performance dynos - This will scaling in response to queue time rather than response time(heroku default) - This also allows you to scale multiple dynos in and out at once, rather than scaling them one at a time, as is the default. Ref ---- 1. https://judoscale.com/ 2. https://devcenter.heroku.com/articles/judoscale |
||
|
dependabot[bot]
|
c6c36b1b36 | chore(deps): bump rexml from 3.3.6 to 3.3.9 (#10361) | ||
|
dependabot[bot]
|
e2db5b8cff |
chore(deps): bump actionmailer from 7.0.8.4 to 7.0.8.5 (#10294)
Bumps [actionmailer](https://github.com/rails/rails) from 7.0.8.4 to 7.0.8.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actionmailer's releases</a>.</em></p> <blockquote> <h2>7.0.8.5</h2> <h2>Active Support</h2> <ul> <li>No changes.</li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li>No changes.</li> </ul> <h2>Action View</h2> <ul> <li>No changes.</li> </ul> <h2>Action Pack</h2> <ul> <li> <p>Avoid regex backtracking in HTTP Token authentication</p> <p>[CVE-2024-47887]</p> </li> <li> <p>Avoid regex backtracking in query parameter filtering</p> <p>[CVE-2024-41128]</p> </li> </ul> <h2>Active Job</h2> <ul> <li>No changes.</li> </ul> <h2>Action Mailer</h2> <ul> <li> <p>Avoid regex backtracking in <code>block_format</code> helper</p> <p>[CVE-2024-47889]</p> </li> </ul> <h2>Action Cable</h2> <ul> <li>No changes.</li> </ul> <h2>Active Storage</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
544fe2b913 |
chore(deps): bump actiontext from 7.0.8.4 to 7.0.8.5 (#10293)
Bumps [actiontext](https://github.com/rails/rails) from 7.0.8.4 to 7.0.8.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actiontext's releases</a>.</em></p> <blockquote> <h2>7.0.8.5</h2> <h2>Active Support</h2> <ul> <li>No changes.</li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li>No changes.</li> </ul> <h2>Action View</h2> <ul> <li>No changes.</li> </ul> <h2>Action Pack</h2> <ul> <li> <p>Avoid regex backtracking in HTTP Token authentication</p> <p>[CVE-2024-47887]</p> </li> <li> <p>Avoid regex backtracking in query parameter filtering</p> <p>[CVE-2024-41128]</p> </li> </ul> <h2>Active Job</h2> <ul> <li>No changes.</li> </ul> <h2>Action Mailer</h2> <ul> <li> <p>Avoid regex backtracking in <code>block_format</code> helper</p> <p>[CVE-2024-47889]</p> </li> </ul> <h2>Action Cable</h2> <ul> <li>No changes.</li> </ul> <h2>Active Storage</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Shivam Mishra
|
42f6621afb |
feat: Vite + vue 3 💚 (#10047)
Fixes https://github.com/chatwoot/chatwoot/issues/8436 Fixes https://github.com/chatwoot/chatwoot/issues/9767 Fixes https://github.com/chatwoot/chatwoot/issues/10156 Fixes https://github.com/chatwoot/chatwoot/issues/6031 Fixes https://github.com/chatwoot/chatwoot/issues/5696 Fixes https://github.com/chatwoot/chatwoot/issues/9250 Fixes https://github.com/chatwoot/chatwoot/issues/9762 --------- Co-authored-by: Pranav <pranavrajs@gmail.com> Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com> |
||
|
Pranav
|
d79d9e8b46 |
fix: Include uncategorized articles in the all article section to allow edit/delete (#10153)
Fixes https://github.com/chatwoot/chatwoot/issues/9935 Fixes https://github.com/chatwoot/chatwoot/issues/8213 The articles were grouped by category, with locale being a derived attribute from the category. If a category was deleted, the article wouldn't appear on the dashboard. However, due to a bug, it would show up in the uncategorized section on the public portal, leaving agents unable to edit or update the article. To address this issue, I've added a locale attribute directly to the article. This attribute is automatically set from the category or the portal's default locale if not supplied. The API parameters now use this attribute to filter articles. As a result, the dashboard will display articles even if they're not associated with a category, improving the overall workflow. **Main updates:** - Add locale attribute to the Article model. Add db migration to back fill the data based on the above logic. - Add a new scope search_by_locale and use it instead of search_by_category_locale. - Update the ERB template to include the locale filter. - Move from `joins` to `left_outer_joins` to include the articles with no categories. --------- Co-authored-by: Sojan <sojan@pepalo.com> |
||
|
dependabot[bot]
|
e68dac8c45 |
chore(deps): bump puma from 6.4.2 to 6.4.3 (#10137)
Bumps [puma](https://github.com/puma/puma) from 6.4.2 to 6.4.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puma/puma/releases">puma's releases</a>.</em></p> <blockquote> <h2>6.4.3</h2> <ul> <li>Security <ul> <li>Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (<a href="https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4">CVE-2024-45614</a>/GHSA-9hf4-67fc-4vf4)</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/puma/puma/blob/master/History.md">puma's changelog</a>.</em></p> <blockquote> <h2>6.4.3 / 2024-09-19</h2> <ul> <li>Security <ul> <li>Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (<a href="https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4">CVE-2024-45614</a>/GHSA-9hf4-67fc-4vf4)</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f15a4f8aa4 |
chore(deps): bump google-protobuf from 3.25.3 to 3.25.5 (#10133)
- Bumps google-protobuf from 3.25.3 to 3.25.5. |
||
|
Sojan Jose
|
8d8ec23aa1 |
chore: [Snyk] Security upgrade rspec-rails from 6.1.4 to 6.1.5 (#10066)
 ### Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project. #### Snyk changed the following file(s): - `Gemfile` <details> <summary>⚠️ <b>Warning</b></summary> ``` Failed to update the Gemfile.lock, please update manually before merging. ``` </details> #### Vulnerabilities that will be fixed with an upgrade: | | Issue | Score | :-------------------------:|:-------------------------|:-------------------------  | Web Cache Poisoning <br/>[SNYK-RUBY-RACK-1061917](https://snyk.io/vuln/SNYK-RUBY-RACK-1061917) | **616** --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - Max score is 1000. Note that the real score may have changed since the PR was raised. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs._ For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMWE2MzkzZS03ODdhLTRmYWItOGY1MS0zZjdmN2YzNzVlZDYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImExYTYzOTNlLTc4N2EtNGZhYi04ZjUxLTNmN2Y3ZjM3NWVkNiJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr) 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates) 🛠 [Adjust project settings](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read about Snyk's upgrade logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io/?loc=fix-pr) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"rspec-rails","from":"6.1.4","to":"6.1.5"}],"env":"prod","issuesToFix":[{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"},{"exploit_maturity":"Proof of Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web Cache Poisoning"}],"prId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","prPublicId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","packageManager":"rubygems","priorityScoreList":[616],"projectPublicId":"b7197bbd-6200-4f23-931d-c39928584360","projectUrl":"https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"type":"auto","upgrade":["SNYK-RUBY-RACK-1061917"],"vulns":["SNYK-RUBY-RACK-1061917"],"patch":[],"isBreakingChange":false,"remediationStrategy":"vuln"}' --------- Co-authored-by: snyk-bot <snyk-bot@snyk.io> |
||
|
Sojan Jose
|
db0e654c03 |
chore: [Snyk] Security upgrade meta_request from 0.8.2 to 0.8.3 (#10061)
snyk security updates |
||
|
Sojan Jose
|
e99e6a8443 |
chore: [Snyk] Security upgrade omniauth-google-oauth2 from 1.1.2 to 1.1.3 (#10058)
- Security updates from snyk Co-authored-by: snyk-bot <snyk-bot@snyk.io> |
||
|
Sojan Jose
|
3a0e68030a |
chore: [Snyk] Fix for 1 vulnerabilities (#10038)
fix for vulnerabilties ------ Co-authored-by: snyk-bot <snyk-bot@snyk.io> |
