mirror of
https://github.com/chatwoot/chatwoot.git
synced 2026-06-04 21:02:35 +08:00
develop
358 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Shivam Mishra
|
170b64d1f1
|
chore: upgrade to vite 6 (#14363)
Upgrades the frontend toolchain to Vite 6 and tidies up the build config along the way. Behavior is unchanged for end users; this is dev/build infra. ## What changed - `vite` 5.4 → 6.4, `@vitejs/plugin-vue` → 5.2, `vite-plugin-ruby` → 5.2 (with matching `vite_rails`/`vite_ruby` gem bumps). - Dropped the `vite-node` 2.0.1 pnpm override — no longer needed now that vitest 3 runs on Vite 6 directly. - Split the single `vite.config.ts` into: - `vite.config.ts` (app), `vite.lib.config.ts` (SDK), `vite.shared.ts` (aliases / Vue options), `vitest.config.ts` (tests). - `pnpm build:sdk` now selects the SDK config explicitly instead of branching on `BUILD_MODE=library`. SDK output path is unchanged (`public/packs/js/sdk.js`). No changes needed to Docker images, deployment scripts, or CI — Node 24 and pnpm 10 are already past Vite 6's floor, and the rake `assets:precompile` hook still drives the SDK build via `pnpm`. ## How to test - `pnpm dev` and verify the dashboard, widget, and survey routes load and HMR works. - Load a Chatwoot site widget on a test page and confirm `sdk.js` is served and the widget mounts. - `RAILS_ENV=production bundle exec rake assets:precompile` and confirm `public/packs/js/sdk.js` plus the rest of the manifest are produced. - `pnpm test` for the JS suite. --------- Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com> Co-authored-by: Sony Mathew <2040199+sony-mathew@users.noreply.github.com> |
||
|
Shivam Mishra
|
94daf26ead
|
chore: update jwt and faraday (#14577)
This PR updates two dependencies — `faraday` (2.14.1 → 2.14.2) and `jwt` (2.10.1 → 2.10.3) — to pick up security patches flagged by `bundle-audit`. Both are bumped to the minimal patched release within their existing major lines to keep the blast radius small. ### Faraday `Faraday::Connection#build_exclusive_url` still allowed a protocol-relative host override when the request target was passed as a `URI` object (rather than a `String`), bypassing the earlier fix for the string-based variant (CVE-2026-25765 / GHSA-33mh-2634-fwr2). On a fixed-base connection this could redirect a request to an attacker-controlled host while still forwarding connection-scoped headers such as `Authorization` — i.e. off-host request forgery (CVE-2026-33637 / GHSA-5rv5-xj5j-3484). The fix is a clean patch bump to `2.14.2`, within Faraday's existing version range — no API changes and no other gems affected. ### JWT `jwt` 2.10.1 accepts an empty/`nil` HMAC key during verification: `JWT.decode(token, "", true, algorithm: 'HS256')` (and keyfinder paths returning `""`/`nil`) verify a forged token, because the empty-key HMAC digest is treated as valid and `enforce_hmac_key_length` defaults to `false` (CVE-2026-45363, High). The advisory offers two fixes — `~> 2.10.3` or `>= 3.2.0`. We chose **2.10.3** deliberately: jumping to 3.x cascaded into upgrading `oauth2`, `twilio-ruby`, `googleauth`, `web-push`, and `signet` (all pinned `jwt < 3.0`), and `jwt` is used directly in 8+ places here (token services, OAuth callbacks, integration helpers), so a major bump carries real breakage risk for no extra security benefit. The Gemfile is pinned `'~> 2.10', '>= 2.10.3'` to hold the 2.x line. **Spec changes.** 2.10.3 tightens key handling: HMAC sign/verify now raises on a `nil`, empty, or non-`String` key instead of silently coercing it. A few specs relied on the old lax behaviour and needed updating: - `microsoft` / `google` callback specs built unsigned ID tokens via `JWT.encode(payload, false)`. Replaced with the correct unsigned form, `JWT.encode(payload, nil, 'none')`. - `instagram` / `linear` / `shopify` helper specs have a "client secret not configured" context where `client_secret` is `nil`. Their shared `valid_token` `let` signed with that `nil` secret, which Ruby evaluates before the helper runs — now raising. Since the helper short-circuits on the blank secret and never decodes the token, those contexts now override `valid_token` with a throwaway string. **Production is unaffected.** Every production HMAC path uses a real, non-empty key — `Rails.application.secret_key_base` (`BaseTokenService`, `Widget::TokenService`) or a client secret guarded by `return if client_secret.blank?` (Instagram/TikTok/Shopify/Linear helpers). The one `nil`-key call, `JWT.decode(id_token, nil, false)` in `OauthCallbackController`, runs with verification disabled, so the key is never inspected. Twilio voice tokens use `Twilio::JWT::AccessToken` from `twilio-ruby`, not this gem. The specs failed precisely because they exercised the unsafe empty-key pattern the patch now blocks — production never did. |
||
|
Shivam Mishra
|
3d20a7b049
|
feat: generate Help Center for Onboarding (#14370)
## Manually triggering help center generation
Open a Rails console (`bundle exec rails console`):
```ruby
account = Account.find(<ACCOUNT_ID>)
user = account.users.first
# Optional: refresh brand info from the customer's website
domain = 'example.com'
result = WebsiteBrandingService.new("noreply@#{domain}").perform
account.update!(
name: result[:title].presence || account.name,
custom_attributes: account.custom_attributes.merge('website' => domain, 'brand_info' => result)
)
# Optional: wipe existing portals so a fresh one is created
account.portals.destroy_all
Onboarding::HelpCenterCreationService.new(account, user).perform
```
Sidekiq must be running — articles are written by
`Onboarding::HelpCenterArticleGenerationJob`. Avoid running on
production; generation calls the LLM provider.
### Generation flow (Happy Path)
```mermaid
sequenceDiagram
autonumber
participant Kickoff as HelpCenterCreationService
participant DB as DB
participant GenJob as HelpCenterArticleGenerationJob
participant Curator as HelpCenterCurator
participant Firecrawl as Firecrawl
participant CuratorLLM as Curation LLM
participant Redis as Redis Progress
participant WriterJob as HelpCenterArticleWriterJob
participant Builder as HelpCenterArticleBuilder
participant WriterLLM as Writer LLM
participant Cable as ActionCable
Kickoff->>DB: Create portal for account<br/>homepage_link=https://chatwoot.com
Kickoff->>DB: Attach brand logo if available
Kickoff->>GenJob: Enqueue generation job<br/>account_id, portal_id, user_id, generation_id
GenJob->>Curator: Curate help center plan
Curator->>Firecrawl: map https://chatwoot.com<br/>search: docs help support faq
Firecrawl-->>Curator: Return discovered links
Curator->>CuratorLLM: Select categories + article plans<br/>from discovered links only
CuratorLLM-->>Curator: Return categories, articles, allowed_urls
GenJob->>DB: Create portal categories
GenJob->>GenJob: Stamp articles with category_id
GenJob->>GenJob: Filter article URLs against allowed_urls
GenJob->>GenJob: Drop articles with no category<br/>or no approved source URLs
GenJob->>Redis: Start progress<br/>status=generating, total=N, finished=0
loop For each approved article
GenJob->>WriterJob: Enqueue writer job<br/>title, category_id, approved URLs
end
par Writer jobs run independently
WriterJob->>Builder: Build article from approved URLs
Builder->>Firecrawl: batch_scrape approved URLs
Firecrawl-->>Builder: Return Markdown source pages
Builder->>WriterLLM: Rewrite sources into one article
WriterLLM-->>Builder: Return title, description, Markdown content
Builder->>DB: Create draft portal article<br/>meta.source_urls
WriterJob->>Redis: Increment finished count
WriterJob->>Cable: Broadcast help_center.article_generated
end
WriterJob->>Redis: If finished >= total<br/>mark status=completed
WriterJob->>Cable: Broadcast help_center.generation_completed
```
### Redis State Management
```mermaid
stateDiagram-v2
[*] --> active_pointer_set
active_pointer_set --> generating: generation job creates valid plan
active_pointer_set --> skipped: curation skipped/failed
generating --> generating: each writer job increments finished
generating --> completed: finished == total
generating --> ignored_completion: generation_id superseded
skipped --> [*]
completed --> [*]
ignored_completion --> [*]
```
|
||
Sony Mathew
|
1913ccadfa
|
fix: [CW-7141] fix gem audit issue for sidekiq-cron and devise (#14497)
# Pull Request Template ## Description * sidekiq-cron upgraded to 2.4.0 * Sidekiq constrained to stay on 7.3.x * Devise advisory ignored in .bundler-audit.yml with the reason: Chatwoot does not enable Timeoutable, so the timeout redirect path is not reachable ### Details The sidekiq-cron upgrade is from 1.12.0 to 2.4.0. What changed that matters for us: Fixes the reported Sidekiq Web UI reflected XSS in 2.4.0. Adds namespace handling changes from the 2.x series. Chatwoot does not use custom cron namespaces in config/schedule.yml, so the migration guide says no action is needed for our usage. Drops support for old Sidekiq/Redis versions. We are still on Sidekiq 7.3.1, which is supported. Adds new dependencies: cronex and unicode. Keeps the same APIs we use: Sidekiq::Cron::Job.load_from_hash!(schedule, source: 'schedule'), Sidekiq::Cron::Job.destroy(name), and require 'sidekiq/cron/web' still exist. Chance of breakage: low, based on the current Chatwoot usage. The main thing I would watch after deploy is scheduled job registration in Sidekiq. The one subtle area is namespace behavior: if production has custom, manually-created cron jobs using non-default namespaces, load_from_hash! cleanup behavior could matter. For the committed config/schedule.yml jobs, which do not specify namespaces, they should continue in the default namespace. For concerns around Devise, it does not look exploitable in current Chatwoot, because Chatwoot does not enable Devise :timeoutable. I checked: app/models/user.rb (line 59) lists the Devise modules, and :timeoutable is not included. config/initializers/devise.rb (line 164) has the timeoutable section, but config.timeout_in is commented out. SuperAdmin inherits from User, so it does not add a separate timeoutable path either. So from a practical security perspective: the vulnerable redirect path requires warden_message == :timeout, which is only produced by Devise Timeoutable. Since Chatwoot does not use Timeoutable, this warning is not currently reachable. Is the patch really needed? Strictly for current exploitability: no. Fixes #CW-7141 ## Type of change Please delete options that are not relevant. - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality not to work as expected) - [ ] This change requires a documentation update ## How Has This Been Tested? Spec and lints and change-log checks with codex. ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules Co-authored-by: Vishnu Narayanan <iamwishnu@gmail.com> |
||
dependabot[bot]
|
cfc7699b7e
|
chore(deps): bump net-imap from 0.4.20 to 0.4.24 (#14361)
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.4.20 to 0.4.24. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/net-imap/releases">net-imap's releases</a>.</em></p> <blockquote> <h2>v0.4.24</h2> <blockquote> <p>[!IMPORTANT] <em>The <code>0.4.x</code> release branch will only receive critical security fixes, and will be unsupported when ruby 3.3 is EOL. Please upgrade to a newer version.</em></p> </blockquote> <h2>What's Changed</h2> <h3>🔒 Security</h3> <p>This release contains fixes for <strong>multiple vulnerabilities</strong> concerning <em><strong><code>STARTTLS</code> stripping</strong></em>, argument validation, and denial of service attacks.</p> <blockquote> <p>[!WARNING] <a href="https://redirect.github.com/ruby/net-imap/pull/666">ruby/net-imap#666</a> fixes a <code>STARTTLS</code> stripping vulnerability (GHSA-vcgp-9326-pqcp). Without this fix, a man-in-the-middle attacker can cause <code>Net::IMAP#starttls</code> to return "successfully", <strong><em>without starting TLS</em></strong>.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Argument validation is significantly improved. Several injection vulnerabilities have been fixed: <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a> fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px). <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a> fixes CRLF/command/argument injection via the <code>attr</code> argument to <code>#store</code>/<code>#uid_store</code> (GHSA-hm49-wcqc-g2xg) <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a> fixes CRLF/command/argument injection via the <code>storage_limit</code> argument to <code>#setquota</code> (GHSA-hm49-wcqc-g2xg). <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a> fixes CRLF/command injection via <code>RawData</code> (GHSA-hm49-wcqc-g2xg):</p> <ul> <li><code>#search</code> and <code>#uid_search</code> send <code>criteria</code> as raw data, when it is a String</li> <li><code>#fetch</code> and <code>#uid_fetch</code> send <code>attr</code> as raw data, when it is a String. When <code>attr</code> is an Array, its String members are sent as raw data.</li> </ul> </blockquote> <blockquote> <p>[!CAUTION] <code>RawData</code> does not defend against <em>other</em> forms of argument injection! It is an intentionally low-level API.</p> </blockquote> <blockquote> <p>[!NOTE] Two denial of service vulnerabilities have been addressed. These are generally only relevant when connecting to an <em>untrusted hostile server</em> (or without TLS).</p> <p><a href="https://redirect.github.com/ruby/net-imap/pull/651">ruby/net-imap#651</a> fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw). <a href="https://redirect.github.com/ruby/net-imap/pull/655">ruby/net-imap#655</a> adds a configurable <code>max_iterations</code> count for <code>SCRAM-*</code> authentication (GHSA-87pf-fpwv-p7m7).</p> <p>The default <code>ScramAuthenticator#max_iterations</code> is <code>2**31 - 1</code> (max 32-bit signed int), which was already OpenSSL's maximum value. <em>It provides no protection</em> against hostile servers unless it is explicitly set to a lower value by the user.</p> </blockquote> <h3>Added</h3> <ul> <li>🔒 Add <code>ScramAuthenticator#max_iterations</code> (backports <a href="https://redirect.github.com/ruby/net-imap/issues/654">#654</a>) in <a href="https://redirect.github.com/ruby/net-imap/pull/655">ruby/net-imap#655</a>, reported by <a href="https://github.com/Masamuneee"><code>@Masamuneee</code></a></li> </ul> <h3>Fixed</h3> <ul> <li>🔒 Fix STARTTLS stripping vulnerability (backports <a href="https://redirect.github.com/ruby/net-imap/issues/664">#664</a>) in <a href="https://redirect.github.com/ruby/net-imap/pull/666">ruby/net-imap#666</a>, reported by <a href="https://github.com/Masamuneee"><code>@Masamuneee</code></a></li> <li>🔒 Fix CRLF injection vulnerabilities (backports <a href="https://redirect.github.com/ruby/net-imap/issues/657">#657</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/658">#658</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/659">#659</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/660">#660</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/636">#636</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/661">#661</a>) in <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a>, reported by <a href="https://github.com/manunio"><code>@manunio</code></a></li> <li>⚡ Much faster ResponseReader performance (backports <a href="https://redirect.github.com/ruby/net-imap/issues/642">#642</a>) in <a href="https://redirect.github.com/ruby/net-imap/pull/651">ruby/net-imap#651</a>, reported by <a href="https://github.com/Masamuneee"><code>@Masamuneee</code></a></li> <li>🐛 Wait to continue RawData literals (backports <a href="https://redirect.github.com/ruby/net-imap/issues/660">#660</a>) by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/663">ruby/net-imap#663</a></li> </ul> <h3>Other Changes</h3> <ul> <li>♻️ Improve internal literal sending (partially backports <a href="https://redirect.github.com/ruby/net-imap/issues/358">#358</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/616">#616</a>, <a href="https://redirect.github.com/ruby/net-imap/issues/649">#649</a>) by <a href="https://github.com/nevans"><code>@nevans</code></a> in <a href="https://redirect.github.com/ruby/net-imap/pull/653">ruby/net-imap#653</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/net-imap/compare/v0.4.23...v0.4.24">https://github.com/ruby/net-imap/compare/v0.4.23...v0.4.24</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
79a7423f9f
|
chore(deps): bump nokogiri from 1.19.1 to 1.19.3 (#14410)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.19.1 to 1.19.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.19.3 / 2026-04-27</h2> <h3>Fixed / Security</h3> <ul> <li>Address exponential regex backtracking in CSS selector tokenizer. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx">GHSA-c4rq-3m3g-8wgx</a> for more information.</li> <li>[CRuby] Address memory leak in <code>XSLT::Stylesheet#transform</code>. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv">GHSA-v2fc-qm4h-8hqv</a> for more information.</li> </ul> <!-- raw HTML omitted --> <pre><code>46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639 nokogiri-1.19.3-aarch64-linux-gnu.gem 8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7 nokogiri-1.19.3-aarch64-linux-musl.gem 3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f nokogiri-1.19.3-arm-linux-gnu.gem 9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6 nokogiri-1.19.3-arm-linux-musl.gem 71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42 nokogiri-1.19.3-arm64-darwin.gem 40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1 nokogiri-1.19.3-java.gem 8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a nokogiri-1.19.3-x64-mingw-ucrt.gem 77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d nokogiri-1.19.3-x86_64-darwin.gem 2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976 nokogiri-1.19.3-x86_64-linux-gnu.gem 248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f nokogiri-1.19.3-x86_64-linux-musl.gem 78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8 nokogiri-1.19.3.gem </code></pre> <h2>v1.19.2 / 2026-03-19</h2> <h3>Dependencies</h3> <ul> <li>[JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3611">#3611</a> <a href="https://github.com/flavorjones"><code>@flavorjones</code></a></li> </ul> <h3>SHA256 Checksums</h3> <pre><code>c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19 nokogiri-1.19.2-aarch64-linux-gnu.gem 7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515 nokogiri-1.19.2-aarch64-linux-musl.gem b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081 nokogiri-1.19.2-arm-linux-gnu.gem 61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c nokogiri-1.19.2-arm-linux-musl.gem 58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205 nokogiri-1.19.2-arm64-darwin.gem e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717 nokogiri-1.19.2-java.gem 8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a nokogiri-1.19.2-x64-mingw-ucrt.gem 7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4 nokogiri-1.19.2-x86_64-darwin.gem fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f nokogiri-1.19.2-x86_64-linux-gnu.gem 93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8 nokogiri-1.19.2-x86_64-linux-musl.gem 38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756 nokogiri-1.19.2.gem </code></pre> <p><strong>Full Changelog</strong>: <a href="https://github.com/sparklemotion/nokogiri/compare/v1.19.1...v1.19.2">https://github.com/sparklemotion/nokogiri/compare/v1.19.1...v1.19.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.19.3 / 2026-04-27</h2> <h3>Fixed / Security</h3> <ul> <li>Address exponential regex backtracking in CSS selector tokenizer. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx">GHSA-c4rq-3m3g-8wgx</a> for more information.</li> <li>[CRuby] Address memory leak in <code>XSLT::Stylesheet#transform</code>. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv">GHSA-v2fc-qm4h-8hqv</a> for more information.</li> </ul> <h2>v1.19.2 / 2026-03-19</h2> <h3>Dependencies</h3> <ul> <li>[JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3611">#3611</a> <a href="https://github.com/flavorjones"><code>@flavorjones</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
Aakash Bakhle
|
aa10d42237
|
chore: bump RubyLLM version [AI-152] (#14387)
# Pull Request Template ## Description Bump RubyLLM version and update model registry ## Type of change Version bump on package ## How Has This Been Tested? Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. locally and specs ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules |
||
|
dependabot[bot]
|
dd52f1d32b
|
chore(deps): bump rack-session from 2.1.1 to 2.1.2 (#14017)
Bumps [rack-session](https://github.com/rack/rack-session) from 2.1.1 to 2.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack-session/blob/main/releases.md">rack-session's changelog</a>.</em></p> <blockquote> <h2>v2.1.2</h2> <ul> <li><a href="https://github.com/advisories/GHSA-33qg-7wpp-89cq">CVE-2026-39324</a> Don't fall back to unencrypted coder if encryptors are present.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
deb259c8d2
|
chore(deps): bump rack from 3.2.5 to 3.2.6 (#13987)
Bumps [rack](https://github.com/rack/rack) from 3.2.5 to 3.2.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/releases">rack's releases</a>.</em></p> <blockquote> <h2>v3.2.6</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/rack/rack/compare/v3.2.5...v3.2.6">https://github.com/rack/rack/compare/v3.2.5...v3.2.6</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's changelog</a>.</em></p> <blockquote> <h2>[3.2.6] - 2026-04-01</h2> <h3>Security</h3> <ul> <li><a href="https://github.com/advisories/GHSA-7mqq-6cf9-v2qp">CVE-2026-34763</a> Root directory disclosure via unescaped regex interpolation in <code>Rack::Directory</code>.</li> <li><a href="https://github.com/advisories/GHSA-v569-hp3g-36wr">CVE-2026-34230</a> Avoid O(n^2) algorithm in <code>Rack::Utils.select_best_encoding</code> which could lead to denial of service.</li> <li><a href="https://github.com/advisories/GHSA-qfgr-crr9-7r49">CVE-2026-32762</a> Forwarded header semicolon injection enables Host and Scheme spoofing.</li> <li><a href="https://github.com/advisories/GHSA-vgpv-f759-9wx3">CVE-2026-26961</a> Raise error for multipart requests with multiple boundary parameters.</li> <li><a href="https://github.com/advisories/GHSA-q4qf-9j86-f5mh">CVE-2026-34786</a> <code>Rack::Static</code> <code>header_rules</code> bypass via URL-encoded path mismatch.</li> <li><a href="https://github.com/advisories/GHSA-q2ww-5357-x388">CVE-2026-34831</a> <code>Content-Length</code> mismatch in <code>Rack::Files</code> error responses.</li> <li><a href="https://github.com/advisories/GHSA-x8cg-fq8g-mxfx">CVE-2026-34826</a> Multipart byte range processing allows denial of service via excessive overlapping ranges.</li> <li><a href="https://github.com/advisories/GHSA-g2pf-xv49-m2h5">CVE-2026-34835</a> <code>Rack::Request</code> accepts invalid Host characters, enabling host allowlist bypass.</li> <li><a href="https://github.com/advisories/GHSA-qv7j-4883-hwh7">CVE-2026-34830</a> <code>Rack::Sendfile</code> header-based <code>X-Accel-Mapping</code> regex injection enables unauthorized <code>X-Accel-Redirect</code>.</li> <li><a href="https://github.com/advisories/GHSA-h2jq-g4cq-5ppq">CVE-2026-34785</a> <code>Rack::Static</code> prefix matching can expose unintended files under the static root.</li> <li><a href="https://github.com/advisories/GHSA-8vqr-qjwx-82mw">CVE-2026-34829</a> Multipart parsing without <code>Content-Length</code> header allows unbounded chunked file uploads.</li> <li><a href="https://github.com/advisories/GHSA-v6x5-cg8r-vv6x">CVE-2026-34827</a> Multipart header parsing allows denial of service via escape-heavy quoted parameters.</li> <li><a href="https://github.com/advisories/GHSA-rx22-g9mx-qrhv">CVE-2026-26962</a> Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
Lomuzord
|
80fccbc526
|
fix: render slack emoji shortcodes as unicode characters (#12928)
This PR fixes an issue where Slack emojis are rendered as text
shortcodes (e.g. 🚀) instead of the actual emoji characters in
Chatwoot messages.
It introduces a new EmojiFormatter class that uses the emoji-data
mapping to convert shortcodes to unicode characters.
---------
Co-authored-by: Sony Mathew <sony@chatwoot.com>
Co-authored-by: Sony Mathew <2040199+sony-mathew@users.noreply.github.com>
|
||
|
dependabot[bot]
|
bcdb73502e
|
chore(deps): bump addressable from 2.8.7 to 2.9.0 (#14019)
Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.8.7 to 2.9.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md">addressable's changelog</a>.</em></p> <blockquote> <h2>Addressable 2.9.0 <!-- raw HTML omitted --></h2> <ul> <li>fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)</li> </ul> <h2>Addressable 2.8.10 <!-- raw HTML omitted --></h2> <ul> <li>fixes ReDoS vulnerability in Addressable::Template#match</li> </ul> <h2>Addressable 2.8.9 <!-- raw HTML omitted --></h2> <ul> <li>Reduce gem size by excluding test files (<a href="https://redirect.github.com/sporkmonger/addressable/issues/569">#569</a>)</li> <li>No need for bundler as development dependency (<a href="https://redirect.github.com/sporkmonger/addressable/issues/571">#571</a>, <a href="https://github.com/sporkmonger/addressable/commit/5fc1d93">5fc1d93</a>)</li> <li>idna/pure: stop building the useless <code>COMPOSITION_TABLE</code> (removes the <code>Addressable::IDNA::COMPOSITION_TABLE</code> constant) (<a href="https://redirect.github.com/sporkmonger/addressable/issues/564">#564</a>)</li> </ul> <p><a href="https://redirect.github.com/sporkmonger/addressable/issues/569">#569</a>: <a href="https://redirect.github.com/sporkmonger/addressable/pull/569">sporkmonger/addressable#569</a> <a href="https://redirect.github.com/sporkmonger/addressable/issues/571">#571</a>: <a href="https://redirect.github.com/sporkmonger/addressable/pull/571">sporkmonger/addressable#571</a> <a href="https://redirect.github.com/sporkmonger/addressable/issues/564">#564</a>: <a href="https://redirect.github.com/sporkmonger/addressable/pull/564">sporkmonger/addressable#564</a></p> <h2>Addressable 2.8.8 <!-- raw HTML omitted --></h2> <ul> <li>Replace the <code>unicode.data</code> blob by a ruby constant (<a href="https://redirect.github.com/sporkmonger/addressable/issues/561">#561</a>)</li> <li>Allow <code>public_suffix</code> 7 (<a href="https://redirect.github.com/sporkmonger/addressable/issues/558">#558</a>)</li> </ul> <p><a href="https://redirect.github.com/sporkmonger/addressable/issues/561">#561</a>: <a href="https://redirect.github.com/sporkmonger/addressable/pull/561">sporkmonger/addressable#561</a> <a href="https://redirect.github.com/sporkmonger/addressable/issues/558">#558</a>: <a href="https://redirect.github.com/sporkmonger/addressable/pull/558">sporkmonger/addressable#558</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
Sojan Jose
|
0920a01e66
|
fix(i18n): align pluralization with locale rules (#14266)
Loads Rails locale-specific pluralization rules so languages with an `other`-only plural model can safely use Crowdin exports without maintaining duplicate `one` keys. ## Closes None ## Why Crowdin exports Rails YAML pluralized strings using each target language's plural categories. These categories come from Unicode CLDR and represent grammatical forms, not a literal "number is 1" bucket. Some languages need separate forms such as `one` and `other`, but languages like Japanese, Korean, Indonesian, Thai, Vietnamese, and Chinese use the same form for `1`, `2`, `5`, and larger counts in these strings. For those locales, CLDR correctly models the plural category as `other` only. Before this change, Chatwoot still relied on Rails' default English-style plural behavior for these locales. That meant a valid Crowdin export containing only `other` could fail at runtime when Rails received `count: 1` and looked for a missing `one` branch. Keeping duplicate `one` keys would only fight Crowdin on every translation sync. The runtime should instead follow the locale's plural rules. ## What changed - Added `rails-i18n` and enabled only its pluralization module. - Added explicit `other`-only plural rules for Chatwoot's underscore Chinese locale aliases, `zh_CN` and `zh_TW`. - Removed redundant `one` keys from the affected Devise and `time_units` translations. ## Validation - Ran a Rails runner check across `id`, `ja`, `ko`, `ms`, `th`, `vi`, `zh_CN`, and `zh_TW` to verify `errors.messages.not_saved` and `time_units.days` resolve with only `other` for `count: 1`. - Ran YAML parse validation for all edited locale files. - Ran `bundle exec rubocop Gemfile config/application.rb config/initializers/i18n_pluralization.rb`. |
||
|
Shivam Mishra
|
871f2f4d56
|
fix: harden fetching on upload endpoint (#14012) | ||
|
dependabot[bot]
|
4b849cdd11
|
chore(deps): bump bcrypt from 3.1.20 to 3.1.22 (#13852)
Bumps [bcrypt](https://github.com/bcrypt-ruby/bcrypt-ruby) from 3.1.20 to 3.1.22. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/bcrypt-ruby/bcrypt-ruby/releases">bcrypt's releases</a>.</em></p> <blockquote> <h2>v3.1.22</h2> <h2>What's Changed</h2> <ul> <li>Move compilation after bundle install by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/291">bcrypt-ruby/bcrypt-ruby#291</a></li> <li>Add TruffleRuby in CI by <a href="https://github.com/tjschuck"><code>@tjschuck</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/293">bcrypt-ruby/bcrypt-ruby#293</a></li> <li>fix env url by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/294">bcrypt-ruby/bcrypt-ruby#294</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/bcrypt-ruby/bcrypt-ruby/compare/v3.1.21...v3.1.22">https://github.com/bcrypt-ruby/bcrypt-ruby/compare/v3.1.21...v3.1.22</a></p> <h2>v3.1.21</h2> <h2>What's Changed</h2> <ul> <li>Provide a 'Changelog' link on rubygems.org/gems/bcrypt by <a href="https://github.com/mark-young-atg"><code>@mark-young-atg</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/274">bcrypt-ruby/bcrypt-ruby#274</a></li> <li>Support ruby 3.3 and 3.4.0-preview1 by <a href="https://github.com/m-nakamura145"><code>@m-nakamura145</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/276">bcrypt-ruby/bcrypt-ruby#276</a></li> <li>Mark as ractor-safe by <a href="https://github.com/mohamedhafez"><code>@mohamedhafez</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/280">bcrypt-ruby/bcrypt-ruby#280</a></li> <li>Add == gotcha that can be unintuitive at first by <a href="https://github.com/federicoaldunate"><code>@federicoaldunate</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/279">bcrypt-ruby/bcrypt-ruby#279</a></li> <li>Constant compare by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/282">bcrypt-ruby/bcrypt-ruby#282</a></li> <li>try to modernize CI by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/287">bcrypt-ruby/bcrypt-ruby#287</a></li> <li>Try to deal with flaky tests by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/288">bcrypt-ruby/bcrypt-ruby#288</a></li> <li>Configure trusted publishing by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/289">bcrypt-ruby/bcrypt-ruby#289</a></li> <li>bump version by <a href="https://github.com/tenderlove"><code>@tenderlove</code></a> in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/290">bcrypt-ruby/bcrypt-ruby#290</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mark-young-atg"><code>@mark-young-atg</code></a> made their first contribution in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/274">bcrypt-ruby/bcrypt-ruby#274</a></li> <li><a href="https://github.com/m-nakamura145"><code>@m-nakamura145</code></a> made their first contribution in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/276">bcrypt-ruby/bcrypt-ruby#276</a></li> <li><a href="https://github.com/mohamedhafez"><code>@mohamedhafez</code></a> made their first contribution in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/280">bcrypt-ruby/bcrypt-ruby#280</a></li> <li><a href="https://github.com/federicoaldunate"><code>@federicoaldunate</code></a> made their first contribution in <a href="https://redirect.github.com/bcrypt-ruby/bcrypt-ruby/pull/279">bcrypt-ruby/bcrypt-ruby#279</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/bcrypt-ruby/bcrypt-ruby/compare/v3.1.20...v3.1.21">https://github.com/bcrypt-ruby/bcrypt-ruby/compare/v3.1.20...v3.1.21</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG">bcrypt's changelog</a>.</em></p> <blockquote> <p>3.1.22 Mar 18 2026</p> <ul> <li>[CVE-2026-33306] Fix integer overflow in Java extension</li> </ul> <p>3.1.21 Dec 31 2025</p> <ul> <li>Use constant time comparisons</li> <li>Mark as Ractor safe</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
310590cae3
|
chore(deps): bump json from 2.18.1 to 2.19.2 (#13849)
Bumps [json](https://github.com/ruby/json) from 2.18.1 to 2.19.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/json/releases">json's releases</a>.</em></p> <blockquote> <h2>v2.19.2</h2> <h2>What's Changed</h2> <ul> <li>Fix a format string injection vulnerability in <code>JSON.parse(doc, allow_duplicate_key: false)</code>. <code>CVE-2026-33210</code></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/json/compare/v2.19.1...v2.19.2">https://github.com/ruby/json/compare/v2.19.1...v2.19.2</a></p> <h2>v2.19.1</h2> <h2>What's Changed</h2> <ul> <li>Fix a compiler dependent GC bug introduced in <code>2.18.0</code>.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/json/compare/v2.19.0...v2.19.1">https://github.com/ruby/json/compare/v2.19.0...v2.19.1</a></p> <h2>v2.19.0</h2> <h2>What's Changed</h2> <ul> <li>Fix <code>allow_blank</code> parsing option to no longer allow invalid types (e.g. <code>load([], allow_blank: true)</code> now raise a type error).</li> <li>Add <code>allow_invalid_escape</code> parsing option to ignore backslashes that aren't followed by one of the valid escape characters.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/json/compare/v2.18.1...v2.19.0">https://github.com/ruby/json/compare/v2.18.1...v2.19.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ruby/json/blob/master/CHANGES.md">json's changelog</a>.</em></p> <blockquote> <h3>2026-03-18 (2.19.2)</h3> <ul> <li>Fix a format string injection vulnerability in <code>JSON.parse(doc, allow_duplicate_key: false)</code>. <code>CVE-2026-33210</code>.</li> </ul> <h3>2026-03-08 (2.19.1)</h3> <ul> <li>Fix a compiler dependent GC bug introduced in <code>2.18.0</code>.</li> </ul> <h3>2026-03-06 (2.19.0)</h3> <ul> <li>Fix <code>allow_blank</code> parsing option to no longer allow invalid types (e.g. <code>load([], allow_blank: true)</code> now raise a type error).</li> <li>Add <code>allow_invalid_escape</code> parsing option to ignore backslashes that aren't followed by one of the valid escape characters.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Shivam Mishra
|
9a9398b386
|
feat: validate OpenAPI spec using Skooma (#13623)
Adds Skooma-based OpenAPI validation so SDK-facing request specs can assert that documented request and response contracts match real Rails behavior. This also upgrades the spec to OpenAPI 3.1 and fixes contract drift uncovered while validating core application and platform resources. Closes None Why We want CI to catch OpenAPI drift before it reaches SDK consumers. While wiring validation in, this PR surfaced several mismatches between the documented contract and what the Rails endpoints actually accept or return. What this change does - Adds Skooma-backed OpenAPI validation to the request spec flow and a dedicated OpenAPI validation spec. - Migrates nullable schema definitions to OpenAPI 3.1-compatible unions. - Updates core SDK-facing schemas and payloads across accounts, contacts, conversations, inboxes, messages, teams, reporting events, and platform account resources. - Documents concrete runtime cases that were previously missing or inaccurate, including nested `profile` update payloads, multipart avatar uploads, required profile update bodies, nullable inbox feature flags, and message sender types that include both `Captain::Assistant` and senderless activity-style messages. - Regenerates the committed Swagger JSON and tag-group artifacts used by CI sync checks. Validation - `bundle exec rake swagger:build` - `bundle exec rspec spec/swagger/openapi_spec.rb` --------- Co-authored-by: Sojan Jose <sojan@pepalo.com> |
||
Vishnu Narayanan
|
4576e75a67
|
fix: bump redis-client to 0.26.4 to fix Sentinel resolution (#13689)
Description: ## Summary - `redis-client` 0.22.2 uses `.call()` during Sentinel master resolution, but `redis-rb` 5.x undefines `.call()` (only `.call_v()` exists), causing Sentinel connections to fail. - Bumps `redis-client` from 0.22.2 to 0.26.4 which includes the upstream fix (redis-rb/redis-client#283). - Also bumps transitive dependency `connection_pool` from 2.5.3 to 2.5.5. Fixes #11665 https://github.com/chatwoot/chatwoot/issues/8368 ## Test - `bundle exec rspec spec/lib/redis/config_spec.rb` passes - Full CI suite passes |
||
|
Aakash Bakhle
|
7cec4ebaae
|
feat: support multimodal user messages in captain v2 (#13581)
Extract and pass image attachments from the latest user message to the runner, excluding the last user message from the context for processing. Fixes #13588 # Pull Request Template ## Description Adds image support to captain v2 ## Type of change Please delete options that are not relevant. - [x] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. specs and local testing <img width="754" height="1008" alt="image" src="https://github.com/user-attachments/assets/914cbc2c-9d30-42d0-87d4-9e5430845c87" /> langfuse also shows media correctly with the instrumentation code: <img width="1800" height="1260" alt="image" src="https://github.com/user-attachments/assets/ce0f5fa6-b1a5-42ec-a213-9a82b1751037" /> ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Shivam Mishra <scm.mymail@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|
dependabot[bot]
|
26c38a90f2
|
chore(deps): bump nokogiri from 1.18.9 to 1.19.1 (#13586)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.18.9 to 1.19.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.19.1 / 2026-02-16</h2> <h3>Security</h3> <ul> <li>[CRuby] Address unchecked return value from <code>xmlC14NExecute</code> which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532">GHSA-wx95-c6cv-8532</a> for more information.</li> </ul> <!-- raw HTML omitted --> <pre><code>cfdb0eafd9a554a88f12ebcc688d2b9005f9fce42b00b970e3dc199587b27f32 nokogiri-1.19.1-aarch64-linux-gnu.gem 1e2150ab43c3b373aba76cd1190af7b9e92103564063e48c474f7600923620b5 nokogiri-1.19.1-aarch64-linux-musl.gem 0a39ed59abe3bf279fab9dd4c6db6fe8af01af0608f6e1f08b8ffa4e5d407fa3 nokogiri-1.19.1-arm-linux-gnu.gem 3a18e559ee499b064aac6562d98daab3d39ba6cbb4074a1542781b2f556db47d nokogiri-1.19.1-arm-linux-musl.gem dfe2d337e6700eac47290407c289d56bcf85805d128c1b5a6434ddb79731cb9e nokogiri-1.19.1-arm64-darwin.gem 1e0bda88b1c6409f0edb9e0c25f1bf9ff4fa94c3958f492a10fcf50dda594365 nokogiri-1.19.1-java.gem 110d92ae57694ae7866670d298a5d04cd150fae5a6a7849957d66f171e6aec9b nokogiri-1.19.1-x64-mingw-ucrt.gem 7093896778cc03efb74b85f915a775862730e887f2e58d6921e3fa3d981e68bf nokogiri-1.19.1-x86_64-darwin.gem 1a4902842a186b4f901078e692d12257678e6133858d0566152fe29cdb98456a nokogiri-1.19.1-x86_64-linux-gnu.gem 4267f38ad4fc7e52a2e7ee28ed494e8f9d8eb4f4b3320901d55981c7b995fc23 nokogiri-1.19.1-x86_64-linux-musl.gem 598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3 nokogiri-1.19.1.gem </code></pre> <!-- raw HTML omitted --> <h2>v1.19.0 / 2025-12-28</h2> <h4>Ruby</h4> <p>This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.</p> <ul> <li>Introduce native gem support for Ruby 4.0. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3590">#3590</a></li> <li>End support for Ruby 3.1, for which <a href="https://www.ruby-lang.org/en/downloads/branches/">upstream support ended 2025-03-26</a>.</li> <li>End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).</li> </ul> <!-- raw HTML omitted --> <pre><code>11a97ecc3c0e7e5edcf395720b10860ef493b768f6aa80c539573530bc933767 nokogiri-1.19.0-aarch64-linux-gnu.gem eb70507f5e01bc23dad9b8dbec2b36ad0e61d227b42d292835020ff754fb7ba9 nokogiri-1.19.0-aarch64-linux-musl.gem 572a259026b2c8b7c161fdb6469fa2d0edd2b61cd599db4bbda93289abefbfe5 nokogiri-1.19.0-arm-linux-gnu.gem 23ed90922f1a38aed555d3de4d058e90850c731c5b756d191b3dc8055948e73c nokogiri-1.19.0-arm-linux-musl.gem 0811dfd936d5f6dd3f6d32ef790568bf29b2b7bead9ba68866847b33c9cf5810 nokogiri-1.19.0-arm64-darwin.gem 5f3a70e252be641d8a4099f7fb4cc25c81c632cb594eec9b4b8f2ca8be4374f3 nokogiri-1.19.0-java.gem 05d7ed2d95731edc9bef2811522dc396df3e476ef0d9c76793a9fca81cab056b nokogiri-1.19.0-x64-mingw-ucrt.gem 1dad56220b603a8edb9750cd95798bffa2b8dd9dd9aa47f664009ee5b43e3067 nokogiri-1.19.0-x86_64-darwin.gem f482b95c713d60031d48c44ce14562f8d2ce31e3a9e8dd0ccb131e9e5a68b58c nokogiri-1.19.0-x86_64-linux-gnu.gem 1c4ca6b381622420073ce6043443af1d321e8ed93cc18b08e2666e5bd02ffae4 nokogiri-1.19.0-x86_64-linux-musl.gem e304d21865f62518e04f2bf59f93bd3a97ca7b07e7f03952946d8e1c05f45695 nokogiri-1.19.0.gem </code></pre> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.19.1 / 2026-02-16</h2> <h3>Security</h3> <ul> <li>[CRuby] Address unchecked return value from <code>xmlC14NExecute</code> which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532">GHSA-wx95-c6cv-8532</a> for more information.</li> </ul> <h2>v1.19.0 / 2025-12-28</h2> <h4>Ruby</h4> <p>This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.</p> <ul> <li>Introduce native gem support for Ruby 4.0. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3590">#3590</a></li> <li>End support for Ruby 3.1, for which <a href="https://www.ruby-lang.org/en/downloads/branches/">upstream support ended 2025-03-26</a>.</li> <li>End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).</li> </ul> <h2>v1.18.10 / 2025-09-15</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9">v2.13.9</a>. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.</li> <li>[CRuby] [Windows and MacOS] Vendored libiconv is updated to <a href="https://savannah.gnu.org/news/?id=10703">v1.18</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
594333a183
|
chore(deps): bump rack from 3.2.3 to 3.2.5 (#13569)
Some checks failed
Frontend Lint & Test / test (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Run Chatwoot CE spec / lint-backend (push) Has been cancelled
Run Chatwoot CE spec / lint-frontend (push) Has been cancelled
Run Chatwoot CE spec / frontend-tests (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (0, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (1, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (10, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (11, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (12, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (13, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (14, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (15, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (2, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (3, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (4, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (5, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (6, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (7, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (8, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (9, 16) (push) Has been cancelled
Publish Chatwoot EE docker images / merge (push) Has been cancelled
Publish Chatwoot CE docker images / merge (push) Has been cancelled
Bumps [rack](https://github.com/rack/rack) from 3.2.3 to 3.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference <a href="https://keepachangelog.com/en/1.0.0/">Keep A Changelog</a>.</p> <h2>Unreleased</h2> <h3>Security</h3> <ul> <li><a href="https://github.com/advisories/GHSA-r657-rxjc-j557">CVE-2025-61780</a> Improper handling of headers in <code>Rack::Sendfile</code> may allow proxy bypass.</li> <li><a href="https://github.com/advisories/GHSA-6xw4-3v39-52mm">CVE-2025-61919</a> Unbounded read in <code>Rack::Request</code> form parsing can lead to memory exhaustion.</li> <li><a href="https://github.com/advisories/GHSA-whrj-4476-wvmp">CVE-2026-25500</a> XSS injection via malicious filename in <code>Rack::Directory</code>.</li> <li><a href="https://github.com/advisories/GHSA-mxw3-3hh2-x2mh">CVE-2026-22860</a> Directory traversal via root prefix bypass in <code>Rack::Directory</code>.</li> </ul> <h3>SPEC Changes</h3> <ul> <li>Define <code>rack.response_finished</code> callback arguments more strictly. (<a href="https://redirect.github.com/rack/rack/pull/2365">#2365</a>, <a href="https://github.com/skipkayhil"><code>@skipkayhil</code></a>)</li> </ul> <h3>Added</h3> <ul> <li>Add <code>Rack::Files#assign_headers</code> to allow overriding how the configured file headers are set. (<a href="https://redirect.github.com/rack/rack/pull/2377">#2377</a>, <a href="https://github.com/codergeek121"><code>@codergeek121</code></a>)</li> <li>Add support for <code>rack.response_finished</code> to <code>Rack::TempfileReaper</code>. (<a href="https://redirect.github.com/rack/rack/pull/2363">#2363</a>, <a href="https://github.com/skipkayhil"><code>@skipkayhil</code></a>)</li> <li>Add support for streaming bodies when using <code>Rack::Events</code>. (<a href="https://redirect.github.com/rack/rack/blob/main/redirect.github.com/rack/rack/pull/2375">#2375</a>, <a href="https://github.com/unflxw"><code>@unflxw</code></a>)</li> <li>Add <code>deflaters</code> option to <code>Rack::Deflater</code> to enable custom compression algorithms like zstd. (<a href="https://redirect.github.com/rack/rack/issues/2168">#2168</a>, <a href="https://github.com/alexanderadam"><code>@alexanderadam</code></a>)</li> <li>Add <code>Rack::Request#prefetch?</code> for identifying requests with <code>Sec-Purpose: prefetch</code> header set. (<a href="https://redirect.github.com/rack/rack/pull/2405">#2405</a>, <a href="https://github.com/glaszig"><code>@glaszig</code></a>)</li> <li>Add <code>rack.request.trusted_proxy</code> environment key to indicate whether the request is coming from a trusted proxy.</li> </ul> <h3>Changed</h3> <ul> <li>Raise before exceeding a part limit, not after. (<a href="https://redirect.github.com/rack/rack/pull/2362">#2362</a>, <a href="https://github.com/matthew-puku"><code>@matthew-puku</code></a>)</li> <li>Rack::Deflater now uses a fixed GZip mtime value. (<a href="https://redirect.github.com/rack/rack/pull/2372">#2372</a>, <a href="https://github.com/bensheldon"><code>@bensheldon</code></a>)</li> <li>Multipart parser drops support for RFC 2231 <code>filename*</code> parameter (prohibited by RFC 7578) and now properly handles UTF-8 encoded filenames via percent-encoding and direct UTF-8 bytes. (<a href="https://redirect.github.com/rack/rack/pull/2398">#2398</a>, <a href="https://github.com/wtn"><code>@wtn</code></a>)</li> <li>The query parser now raises <code>Rack::QueryParser::IncompatibleEncodingError</code> if we try to parse params that are not ASCII compatible. (<a href="https://redirect.github.com/rack/rack/pull/2416">#2416</a>, <a href="https://github.com/bquorning"><code>@bquorning</code></a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Multipart parser: limit MIME header size check to the unread buffer region to avoid false <code>multipart mime part header too large</code> errors when previously read data accumulates in the scan buffer. (<a href="https://redirect.github.com/rack/rack/pull/2392">#2392</a>, <a href="https://github.com/alpaca-tc"><code>@alpaca-tc</code></a>, <a href="https://github.com/willnet"><code>@willnet</code></a>, <a href="https://github.com/krororo"><code>@krororo</code></a>)</li> <li>Fix <code>Rack::MockResponse#body</code> when the body is a Proc. (<a href="https://redirect.github.com/rack/rack/pull/2420">#2420</a>, <a href="https://redirect.github.com/rack/rack/pull/2423">#2423</a>, <a href="https://github.com/tavianator"><code>@tavianator</code></a>, [<a href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li> </ul> <h2>[3.2.4] - 2025-11-03</h2> <h3>Fixed</h3> <ul> <li>Multipart parser: limit MIME header size check to the unread buffer region to avoid false <code>multipart mime part header too large</code> errors when previously read data accumulates in the scan buffer. (<a href="https://redirect.github.com/rack/rack/pull/2392">#2392</a>, <a href="https://github.com/alpaca-tc"><code>@alpaca-tc</code></a>, <a href="https://github.com/willnet"><code>@willnet</code></a>, <a href="https://github.com/krororo"><code>@krororo</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Aakash Bakhle
|
3874383698
|
feat: insrument captain v2 (#13439)
# Pull Request Template ## Description Instruments captain v2 ## Type of change - [x] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. Local testing: <img width="864" height="510" alt="image" src="https://github.com/user-attachments/assets/855ebce5-e8b8-4d22-b0bb-0d413769a6ab" /> ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Shivam Mishra <scm.mymail@gmail.com> |
||
|
dependabot[bot]
|
6632610e78
|
chore(deps): bump faraday from 2.13.1 to 2.14.1 (#13503)
Bumps [faraday](https://github.com/lostisland/faraday) from 2.13.1 to 2.14.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lostisland/faraday/releases">faraday's releases</a>.</em></p> <blockquote> <h2>v2.14.1</h2> <h2>Security Note</h2> <p>This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.</p> <h2>What's Changed</h2> <ul> <li>Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1642">lostisland/faraday#1642</a></li> <li>Add RFC document for Options architecture refactoring plan by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1644">lostisland/faraday#1644</a></li> <li>Bump actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/lostisland/faraday/pull/1655">lostisland/faraday#1655</a></li> <li>Explicit top-level namespace reference by <a href="https://github.com/c960657"><code>@c960657</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1657">lostisland/faraday#1657</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/lostisland/faraday/pull/1642">lostisland/faraday#1642</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lostisland/faraday/compare/v2.14.0...v2.14.1">https://github.com/lostisland/faraday/compare/v2.14.0...v2.14.1</a></p> <h2>v2.14.0</h2> <h2>What's Changed</h2> <h3>New features ✨</h3> <ul> <li>Use newer <code>UnprocessableContent</code> naming for 422 by <a href="https://github.com/tylerhunt"><code>@tylerhunt</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1638">lostisland/faraday#1638</a></li> </ul> <h3>Fixes 🐞</h3> <ul> <li>Convert strings to UTF-8 by <a href="https://github.com/c960657"><code>@c960657</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1624">lostisland/faraday#1624</a></li> <li>Fix <code>Response#to_hash</code> when response not finished yet by <a href="https://github.com/yykamei"><code>@yykamei</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1639">lostisland/faraday#1639</a></li> </ul> <h3>Misc/Docs 📄</h3> <ul> <li>Lint: use <code>filter_map</code> by <a href="https://github.com/olleolleolle"><code>@olleolleolle</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1637">lostisland/faraday#1637</a></li> <li>Bump <code>actions/checkout</code> from v4 to v5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/lostisland/faraday/pull/1636">lostisland/faraday#1636</a></li> <li>Fixes documentation by <a href="https://github.com/dharamgollapudi"><code>@dharamgollapudi</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1635">lostisland/faraday#1635</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/c960657"><code>@c960657</code></a> made their first contribution in <a href="https://redirect.github.com/lostisland/faraday/pull/1624">lostisland/faraday#1624</a></li> <li><a href="https://github.com/dharamgollapudi"><code>@dharamgollapudi</code></a> made their first contribution in <a href="https://redirect.github.com/lostisland/faraday/pull/1635">lostisland/faraday#1635</a></li> <li><a href="https://github.com/tylerhunt"><code>@tylerhunt</code></a> made their first contribution in <a href="https://redirect.github.com/lostisland/faraday/pull/1638">lostisland/faraday#1638</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lostisland/faraday/compare/v2.13.4...v2.14.0">https://github.com/lostisland/faraday/compare/v2.13.4...v2.14.0</a></p> <h2>v2.13.4</h2> <h2>What's Changed</h2> <ul> <li>Improve error handling logic and add missing test coverage by <a href="https://github.com/iMacTia"><code>@iMacTia</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1633">lostisland/faraday#1633</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lostisland/faraday/compare/v2.13.3...v2.13.4">https://github.com/lostisland/faraday/compare/v2.13.3...v2.13.4</a></p> <h2>v2.13.3</h2> <h2>What's Changed</h2> <ul> <li>Fix type assumption in <code>Faraday::Error</code> by <a href="https://github.com/iMacTia"><code>@iMacTia</code></a> in <a href="https://redirect.github.com/lostisland/faraday/pull/1630">lostisland/faraday#1630</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Aakash Bakhle
|
bd732f1fa9
|
fix: search faqs in account language (#13428)
Some checks failed
Frontend Lint & Test / test (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Run Chatwoot CE spec / lint-backend (push) Has been cancelled
Run Chatwoot CE spec / lint-frontend (push) Has been cancelled
Run Chatwoot CE spec / frontend-tests (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (0, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (1, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (10, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (11, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (12, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (13, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (14, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (15, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (2, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (3, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (4, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (5, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (6, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (7, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (8, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (9, 16) (push) Has been cancelled
Publish Chatwoot EE docker images / merge (push) Has been cancelled
Publish Chatwoot CE docker images / merge (push) Has been cancelled
# Pull Request Template ## Description Reply suggestions uses `search_documentation`. While this is useful, there is a subtle bug, a user's message may be in a different language (say spanish) than the FAQs present (english). This results in embedding search in spanish and compared against english vectors, which results in poor retrieval and poor suggestions. Fixes # (issue) This PR fixes the above behaviour by making a small llm call translate the query before searching in the search documentation tool ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. before: <img width="894" height="157" alt="image" src="https://github.com/user-attachments/assets/83871ee5-511e-4432-8b99-39e803759f63" /> after: <img width="1149" height="294" alt="image" src="https://github.com/user-attachments/assets/f9617d7a-6d48-4ca1-ad1c-2181e16c1f3d" /> test on rails console: <img width="2094" height="380" alt="image" src="https://github.com/user-attachments/assets/159fdaa5-8808-49d2-be5d-304d69fa97f7" /> ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules |
||
|
Sojan Jose
|
053b7774dd
|
fix: Render all account limit fields (#13435)
## Bug Explanation - The Super Admin limits form renders inputs by iterating the keys of `account.limits`. - When `account.limits` was present, `AccountLimitsField#to_s` returned only that hash (no defaults). - On save, `SuperAdmin::AccountsController` compacts the limits hash, removing blank keys. - Result: if only one key (e.g., `agents`) was saved, the other keys were missing from the hash and their fields disappeared on the next render. ## Fix - Always start from a defaults hash of all expected limit keys and merge in any saved overrides. - This keeps the UI stable and ensures all limit inputs remain visible even when the stored hash is partial. - Upgraded meta_request to `0.8.5` to stop a dev‑only `SystemStackError` caused by JSON‑encoding ActiveRecord::Transaction in Rails 7.2. No production behavior changes. ## Reproduction Steps 1. In Super Admin, edit an account and set only `agents` in the limits; leave other limit fields blank and save. 2. Re-open the same account in Super Admin. 3. Observe that only `agents` is rendered and other limit fields are missing. ## Testing - Tested on UI --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|
Sojan Jose
|
9eb3ee44a8 |
Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)"
This reverts commit
|
||
|
Sojan Jose
|
ef6ba8aabd
|
chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)
Upgrade rails to 7.2.2 so that we can proceed with the rails 8 upgrade afterwards # Changelog - `.circleci/config.yml` — align CI DB setup with GitHub Actions (`db:create` + `db:schema:load`) to avoid trigger-dependent prep steps. - `.rubocop.yml` — add `rubocop-rspec_rails` and disable new cops that don't match existing spec style. - `AGENTS.md` — document that specs should run without `.env` (rename temporarily when present). - `Gemfile` — upgrade to Rails 7.2, switch Azure storage gem, pin `commonmarker`, bump `sidekiq-cron`, add `rubocop-rspec_rails`, and relax some gem pins. - `Gemfile.lock` — dependency lockfile updates from the Rails 7.2 and gem changes. - `app/controllers/api/v1/accounts/integrations/linear_controller.rb` — stringify params before passing to the Linear service to keep key types stable. - `app/controllers/super_admin/instance_statuses_controller.rb` — use `MigrationContext` API for migration status in Rails 7.2. - `app/models/installation_config.rb` — add commentary on YAML serialization and future JSONB migration (no behavior change). - `app/models/integrations/hook.rb` — ensure hook type is set on create only and guard against missing app. - `app/models/user.rb` — update enum syntax for Rails 7.2 deprecation, serialize OTP backup codes with JSON, and use Ruby `alias`. - `app/services/crm/leadsquared/setup_service.rb` — stringify hook settings keys before merge to keep JSON shape consistent. - `app/services/macros/execution_service.rb` — remove macro-specific assignee activity workaround; rely on standard assignment handlers. - `config/application.rb` — load Rails 7.2 defaults. - `config/storage.yml` — update Azure Active Storage service name to `AzureBlob`. - `db/migrate/20230515051424_update_article_image_keys.rb` — use credentials `secret_key_base` with fallback to legacy secrets. - `docker/Dockerfile` — add `yaml-dev` and `pkgconf` packages for native extensions (Ruby 3.4 / psych). - `lib/seeders/reports/message_creator.rb` — add parentheses for clarity in range calculation. - `package.json` — pin Vite version and bump `vite-plugin-ruby`. - `pnpm-lock.yaml` — lockfile changes from JS dependency updates. - `spec/builders/v2/report_builder_spec.rb` — disable transactional fixtures; truncate tables per example via Rails `truncate_tables` so after_commit callbacks run with clean isolation; keep builder spec metadata minimal. - `spec/builders/v2/reports/label_summary_builder_spec.rb` — disable transactional fixtures + truncate tables via Rails `truncate_tables`; revert to real `resolved!`/`open!`/`resolved!` flow for multiple resolution events; align date range to `Time.zone` to avoid offset gaps; keep builder spec metadata minimal. - `spec/controllers/api/v1/accounts/macros_controller_spec.rb` — assert `assignee_id` instead of activity message to avoid transaction-timing flakes. - `spec/services/telegram/incoming_message_service_spec.rb` — reference the contact tied to the created conversation instead of `Contact.all.first` to avoid order-dependent failures when other specs leave data behind. - `spec/mailers/administrator_notifications/shared/smtp_config_shared.rb` — use `with_modified_env` instead of stubbing mailer internals. - `spec/services/account/sign_up_email_validation_service_spec.rb` — compare error `class.name` for parallel/reload-safe assertions. |
||
|
dependabot[bot]
|
b0863ab1cd
|
chore(deps): bump httparty from 0.21.0 to 0.24.0 (#13199)
Bumps [httparty](https://github.com/jnunemaker/httparty) from 0.21.0 to 0.24.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jnunemaker/httparty/releases">httparty's releases</a>.</em></p> <blockquote> <h2>v0.24.0</h2> <h2>What's Changed</h2> <ul> <li>Force binary encoding throughout by <a href="https://github.com/jnunemaker"><code>@jnunemaker</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/823">jnunemaker/httparty#823</a></li> <li>set Content-Type for Hash body in requests by <a href="https://github.com/jnunemaker"><code>@jnunemaker</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/828">jnunemaker/httparty#828</a></li> <li>feat: stream multipart file uploads to reduce memory usage by <a href="https://github.com/jnunemaker"><code>@jnunemaker</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/829">jnunemaker/httparty#829</a></li> <li>fix: prevent SSRF via absolute URL bypassing base_uri by <a href="https://github.com/jnunemaker"><code>@jnunemaker</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/830">jnunemaker/httparty#830</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jnunemaker/httparty/compare/v0.23.2...v0.24.0">https://github.com/jnunemaker/httparty/compare/v0.23.2...v0.24.0</a></p> <h2>0.23.2</h2> <h2>What's Changed</h2> <ul> <li>Add changelog_uri metadata to gemspec by <a href="https://github.com/baraidrissa"><code>@baraidrissa</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/817">jnunemaker/httparty#817</a></li> <li>Fix multipart with files in binary mode and fields including non-ASCII characters by <a href="https://github.com/rdimartino"><code>@rdimartino</code></a> in <a href="https://redirect.github.com/jnunemaker/httparty/pull/822">jnunemaker/httparty#822</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/baraidrissa"><code>@baraidrissa</code></a> made their first contribution in <a href="https://redirect.github.com/jnunemaker/httparty/pull/817">jnunemaker/httparty#817</a></li> <li><a href="https://github.com/rdimartino"><code>@rdimartino</code></a> made their first contribution in <a href="https://redirect.github.com/jnunemaker/httparty/pull/822">jnunemaker/httparty#822</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jnunemaker/httparty/compare/v0.23.1...v0.23.2">https://github.com/jnunemaker/httparty/compare/v0.23.1...v0.23.2</a></p> <h2>v0.23.1</h2> <ul> <li>Add foul option to class level <a href=" |
||
Pranav
|
86da3f7c06
|
fix: Remove account_id from params since it is not used (#13116)
account_id was permitted in strong parameters, allowing authenticated admins to transfer resources (Portals, Automation Rules, Macros) to arbitrary accounts. Fix: Removed account_id from permitted params in 4 controllers: - portals_controller.rb - automation_rules_controller.rb - macros_controller.rb - twilio_channels_controller.rb |
||
|
Aakash Bakhle
|
1de8d3e56d
|
feat: legacy features to ruby llm (#12994) | ||
Sivin Varghese
|
399c91adaa
|
feat: Standardize rich editor across all channels (#12600)
# Pull Request Template ## Description This PR includes, 1. **Channel-specific formatting and menu options** for the rich reply editor. 2. **Removal of the plain reply editor** and full **standardization** on the rich reply editor across all channels. 3. **Fix for multiple canned responses insertion:** * **Before:** The plain editor only allowed inserting canned responses at the beginning of a message, making it impossible to combine multiple canned responses in a single reply. This caused inconsistent behavior across the app. * **Solution:** Replaced the plain reply editor with the rich (ProseMirror) editor to ensure a unified experience. Agents can now insert multiple canned responses at any cursor position. 4. **Floating editor menu** for the reply box to improve accessibility and overall user experience. 5. **New Strikethrough formatting option** added to the editor menu. --- **Editor repo PR**: https://github.com/chatwoot/prosemirror-schema/pull/36 Fixes https://github.com/chatwoot/chatwoot/issues/12517, [CW-5924](https://linear.app/chatwoot/issue/CW-5924/standardize-the-editor), [CW-5679](https://linear.app/chatwoot/issue/CW-5679/allow-inserting-multiple-canned-responses-in-a-single-message) ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? ### Screenshot **Dark** <img width="850" height="345" alt="image" src="https://github.com/user-attachments/assets/47748e6c-380f-44a3-9e3b-c27e0c830bd0" /> **Light** <img width="850" height="345" alt="image" src="https://github.com/user-attachments/assets/6746cf32-bf63-4280-a5bd-bbd42c3cbe84" /> ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Vinay Keerthi <11478411+stonecharioteer@users.noreply.github.com> |
||
|
Shivam Mishra
|
a971ff00f8
|
fix: ruby_llm version conflicts with ai-agents (#13011)
Co-authored-by: aakashb95 <aakash@chatwoot.com> |
||
|
Aakash Bakhle
|
87fe1e9ad7
|
feat: migrate editor to ruby-llm (#12961)
Some checks failed
Frontend Lint & Test / test (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Run Chatwoot CE spec / lint-backend (push) Has been cancelled
Run Chatwoot CE spec / lint-frontend (push) Has been cancelled
Run Chatwoot CE spec / frontend-tests (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (0, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (1, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (10, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (11, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (12, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (13, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (14, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (15, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (2, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (3, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (4, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (5, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (6, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (7, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (8, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (9, 16) (push) Has been cancelled
Publish Chatwoot EE docker images / merge (push) Has been cancelled
Publish Chatwoot CE docker images / merge (push) Has been cancelled
Co-authored-by: aakashb95 <aakash@chatwoot.com> Co-authored-by: Shivam Mishra <scm.mymail@gmail.com> |
||
Tanmay Deep Sharma
|
b269cca0bf
|
feat: Add AI credit topup flow for Stripe (#12988)
Co-authored-by: Shivam Mishra <scm.mymail@gmail.com> Co-authored-by: Pranav <pranav@chatwoot.com> |
||
|
Aakash Bakhle
|
e9c60aec04
|
feat: Add support for Langfuse LLM Tracing via OTEL (#12905)
Some checks failed
Frontend Lint & Test / test (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Run Chatwoot CE spec / lint-backend (push) Has been cancelled
Run Chatwoot CE spec / lint-frontend (push) Has been cancelled
Run Chatwoot CE spec / frontend-tests (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (0, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (1, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (10, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (11, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (12, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (13, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (14, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (15, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (2, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (3, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (4, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (5, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (6, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (7, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (8, 16) (push) Has been cancelled
Run Chatwoot CE spec / backend-tests (9, 16) (push) Has been cancelled
Publish Chatwoot EE docker images / merge (push) Has been cancelled
Publish Chatwoot CE docker images / merge (push) Has been cancelled
This PR adds LLM instrumentation on langfuse for ai-editor feature ## Type of change New feature (non-breaking change which adds functionality) Needs langfuse account and env vars to be set ## How Has This Been Tested? I configured personal langfuse credentials and instrumented the app, traces can be seen in langfuse. each conversation is one session. <img width="1683" height="714" alt="image" src="https://github.com/user-attachments/assets/3fcba1c9-63cf-44b9-a355-fd6608691559" /> <img width="1446" height="172" alt="image" src="https://github.com/user-attachments/assets/dfa6e98f-4741-4e04-9a9e-078d1f01e97b" /> ## Checklist: - [x ] My code follows the style guidelines of this project - [ x] I have performed a self-review of my code - [ x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ x] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: aakashb95 <aakash@chatwoot.com> Co-authored-by: Vishnu Narayanan <iamwishnu@gmail.com> Co-authored-by: Pranav <pranav@chatwoot.com> |
||
|
Sojan Jose
|
6c07f62cfc
|
feat: Add Amazon SES inbound email support (#12893)
## Summary - add AWS ActionMailbox SES gems - document SES as incoming email provider - note SES option in configuration ## Testing - `bundle exec rubocop config/initializers/mailer.rb config/environments/production.rb Gemfile` ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_68bbb7d482288326b8f04bb795af0322) --------- Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Vinay Keerthi <11478411+stonecharioteer@users.noreply.github.com> |
||
Vinay Keerthi
|
6ae5e67b52
|
fix: revert annotaterb migration due to persistent annotation errors (#12881)
Some checks failed
Frontend Lint & Test / test (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot EE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/amd64, ubuntu-latest) (push) Has been cancelled
Publish Chatwoot CE docker images / build (linux/arm64, ubuntu-22.04-arm) (push) Has been cancelled
Run Chatwoot CE spec / test (push) Has been cancelled
Publish Chatwoot EE docker images / merge (push) Has been cancelled
Publish Chatwoot CE docker images / merge (push) Has been cancelled
## Description
This PR reverts the migration from the `annotate` gem to `annotaterb`
introduced in PR #12845. The annotation errors reported in #11673
persist with both gems, and the old `annotate` gem handles the errors
more gracefully by continuing to process other models instead of
crashing.
**Testing reveals both gems fail with the same underlying issue:**
**Old annotate gem (3.2.0):**
```
Unable to annotate app/models/installation_config.rb: no implicit conversion of Hash into String
Unable to annotate app/models/installation_config.rb: no implicit conversion of nil into Array
Model files unchanged.
```
(Logs error but continues processing)
**New annotaterb gem (4.20.0):**
```
❯ bundle exec annotaterb models
ruby/3.4.4/lib/ruby/gems/3.4.0/gems/reline-0.3.6/lib/reline/terminfo.rb:2: warning: ruby/3.4.4/lib/ruby/3.4.0/fiddle.rb was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.5.0.
You can add fiddle to your Gemfile or gemspec to silence this warning.
Also please contact the author of reline-0.3.6 to request adding fiddle into its gemspec.
Annotating models
bundler: failed to load command: annotaterb (ruby/3.4.4/bin/annotaterb)
ruby/3.4.4/lib/ruby/3.4.0/psych/parser.rb:62:in 'Psych::Parser#_native_parse': no implicit conversion of Hash into String (TypeError)
_native_parse @handler, yaml, path
^^^^^^^^^^^^^^^^^^^^
from ruby/3.4.4/lib/ruby/3.4.0/psych/parser.rb:62:in 'Psych::Parser#parse'
from ruby/3.4.4/lib/ruby/3.4.0/psych.rb:457:in 'Psych.parse_stream'
from ruby/3.4.4/lib/ruby/3.4.0/psych.rb:401:in 'Psych.parse'
from ruby/3.4.4/lib/ruby/3.4.0/psych.rb:325:in 'Psych.safe_load'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activerecord-7.1.5.2/lib/active_record/coders/yaml_column.rb:37:in 'ActiveRecord::Coders::YAMLColumn::SafeCoder#load'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activerecord-7.1.5.2/lib/active_record/coders/column_serializer.rb:37:in 'ActiveRecord::Coders::ColumnSerializer#load'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activerecord-7.1.5.2/lib/active_record/type/serialized.rb:22:in 'ActiveRecord::Type::Serialized#deserialize'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activemodel-7.1.5.2/lib/active_model/attribute.rb:175:in 'ActiveModel::Attribute::FromDatabase#type_cast'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activemodel-7.1.5.2/lib/active_model/attribute.rb:43:in 'ActiveModel::Attribute#value'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activemodel-7.1.5.2/lib/active_model/attribute_set.rb:37:in 'block in ActiveModel::AttributeSet#to_hash'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activesupport-7.1.5.2/lib/active_support/core_ext/enumerable.rb:78:in 'block in Enumerable#index_with'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activesupport-7.1.5.2/lib/active_support/core_ext/enumerable.rb:78:in 'Array#each'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activesupport-7.1.5.2/lib/active_support/core_ext/enumerable.rb:78:in 'Enumerable#index_with'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activemodel-7.1.5.2/lib/active_model/attribute_set.rb:37:in 'ActiveModel::AttributeSet#to_hash'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/activerecord-7.1.5.2/lib/active_record/model_schema.rb:499:in 'ActiveRecord::ModelSchema::ClassMethods#column_defaults'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/model_wrapper.rb:68:in 'AnnotateRb::ModelAnnotator::ModelWrapper#column_defaults'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/model_wrapper.rb:139:in 'block in AnnotateRb::ModelAnnotator::ModelWrapper#built_attributes'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/model_wrapper.rb:136:in 'Array#map'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/model_wrapper.rb:136:in 'AnnotateRb::ModelAnnotator::ModelWrapper#built_attributes'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/column_annotation/annotation_builder.rb:15:in 'AnnotateRb::ModelAnnotator::ColumnAnnotation::AnnotationBuilder#build'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:52:in 'block in AnnotateRb::ModelAnnotator::Annotation::AnnotationBuilder::Annotation#columns'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:51:in 'Array#map'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:51:in 'AnnotateRb::ModelAnnotator::Annotation::AnnotationBuilder::Annotation#columns'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:26:in 'AnnotateRb::ModelAnnotator::Annotation::AnnotationBuilder::Annotation#body'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:35:in 'AnnotateRb::ModelAnnotator::Annotation::AnnotationBuilder::Annotation#build'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotation/annotation_builder.rb:71:in 'AnnotateRb::ModelAnnotator::Annotation::AnnotationBuilder#build'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/project_annotator.rb:43:in 'AnnotateRb::ModelAnnotator::ProjectAnnotator#build_instructions_for_file'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/project_annotator.rb:17:in 'block in AnnotateRb::ModelAnnotator::ProjectAnnotator#annotate'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/project_annotator.rb:13:in 'Array#map'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/project_annotator.rb:13:in 'AnnotateRb::ModelAnnotator::ProjectAnnotator#annotate'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotator.rb:21:in 'AnnotateRb::ModelAnnotator::Annotator#do_annotations'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/model_annotator/annotator.rb:8:in 'AnnotateRb::ModelAnnotator::Annotator.do_annotations'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/commands/annotate_models.rb:17:in 'AnnotateRb::Commands::AnnotateModels#call'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/runner.rb:38:in 'AnnotateRb::Runner#run'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/lib/annotate_rb/runner.rb:11:in 'AnnotateRb::Runner.run'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/annotaterb-4.20.0/exe/annotaterb:18:in '<top (required)>'
from ruby/3.4.4/bin/annotaterb:25:in 'Kernel#load'
from ruby/3.4.4/bin/annotaterb:25:in '<top (required)>'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli/exec.rb:58:in 'Kernel.load'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli/exec.rb:58:in 'Bundler::CLI::Exec#kernel_load'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli/exec.rb:23:in 'Bundler::CLI::Exec#run'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli.rb:455:in 'Bundler::CLI#exec'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/vendor/thor/lib/thor/command.rb:28:in 'Bundler::Thor::Command#run'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/vendor/thor/lib/thor/invocation.rb:127:in 'Bundler::Thor::Invocation#invoke_command'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/vendor/thor/lib/thor.rb:527:in 'Bundler::Thor.dispatch'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli.rb:35:in 'Bundler::CLI.dispatch'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/vendor/thor/lib/thor/base.rb:584:in 'Bundler::Thor::Base::ClassMethods#start'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/cli.rb:29:in 'Bundler::CLI.start'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/exe/bundle:28:in 'block in <top (required)>'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/lib/bundler/friendly_errors.rb:117:in 'Bundler.with_friendly_errors'
from ruby/3.4.4/lib/ruby/gems/3.4.0/gems/bundler-2.5.16/exe/bundle:20:in '<top (required)>'
from ruby/3.4.4/bin/bundle:25:in 'Kernel#load'
from ruby/3.4.4/bin/bundle:25:in '<main>'
```
(Crashes immediately, stops all processing)
**Root cause:** The `InstallationConfig` model uses YAML serialization
(`serialize :serialized_value, coder: YAML`) on a JSONB database column.
When annotation tools read column defaults, PostgreSQL returns JSONB as
a Hash, but YAML expects a String, causing the type error.
The migration to annotaterb doesn't solve the problem - both gems
encounter the same error. The old gem is preferable as it continues
working despite the error.
Reverts #12845
Related to #11673
## Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
## How Has This Been Tested?
1. Reverted commit
|
||
|
Vinay Keerthi
|
559d1b6576
|
fix: migrate from deprecated annotate gem to annotaterb (#12845)
## Description The `annotate` gem has been deprecated and users are experiencing annotation errors with the new Rails 7 `serialize` syntax. This PR migrates to `annotaterb`, the actively maintained fork. Users reported errors when running `make db`: ``` Unable to annotate app/models/installation_config.rb: no implicit conversion of Hash into String Unable to annotate app/models/installation_config.rb: no implicit conversion of nil into Array ``` This PR updates the Gemfile and rake configuration to use `annotaterb` instead. Fixes #11673 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? Tested locally with the following steps: 1. Run `bundle install` - successfully installed annotaterb 4.20.0 2. Run `RAILS_ENV=development bundle exec rails db:chatwoot_prepare` - completed without annotation errors 3. Run `RAILS_ENV=development bundle exec rails annotate_rb:models` - successfully annotated all models including InstallationConfig 4. Verified InstallationConfig model annotations are present and correct ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] My changes generate no new warnings - [x] New and existing unit tests pass locally with my changes |
||
|
Vinay Keerthi
|
ef54f07d5b
|
feat: Add company backfill migration for existing contacts (Part 1) (#12657)
## Description Implements company backfill migration infrastructure for existing contacts. This is **Part 1 of 2** for the company model production rollout as described in [CW-5726](https://linear.app/chatwoot/issue/CW-5726/company-model-setting-it-up-on-production). Creates jobs and services to associate existing contacts with companies based on their email domains, filtering out free email providers (gmail, yahoo, etc.) and disposable addresses. **What's included:** - Business email detector service with ValidEmail2 (uses `disposable_domain?` to avoid DNS lookups) - Per-account batch job to process contacts for one account - Orchestrator job to iterate all accounts - Rake task: `bundle exec rake companies:backfill` ~~*NOTE*: I'm using a hard-coded approach to determine if something is a "business" email by filtering out emails that are usually personal. I've also added domains that are common to some of our customers' regions. This should be simpler. I looked into `Valid_Email2` and I couldn't find anything to dictate whether an email is a personal email or a business one. I don't think the approach used in the frontend is valid here.~~ UPDATE: Using `email_provider_info` gem instead. **Pending - Part 2 (separate PR):** Real-time company creation for new contacts ## Type of change - [x] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? ```bash # Run all new tests bundle exec rspec spec/enterprise/services/companies/business_email_detector_service_spec.rb \\ spec/enterprise/jobs/migration/company_account_batch_job_spec.rb \\ spec/enterprise/jobs/migration/company_backfill_job_spec.rb # Run RuboCop bundle exec rubocop enterprise/app/services/companies/business_email_detector_service.rb \\ enterprise/app/jobs/migration/company_account_batch_job.rb \\ enterprise/app/jobs/migration/company_backfill_job.rb \\ lib/tasks/companies.rake ``` **Performance optimization:** - Uses `disposable_domain?` instead of `disposable?` to avoid DNS MX lookups (discovered via tcpdump analysis - `disposable?` was making network calls for every email, causing 100x slowdown) ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Sojan Jose <sojan@pepalo.com> |
||
|
Vishnu Narayanan
|
31497d9c63
|
fix: update omniauth to latest to resolve heroku deployment issues (#12749)
# Pull Request Template ## Description Fixes https://github.com/chatwoot/chatwoot/issues/12553 Heroku build was failing due to `omniauth` version mismatch. Also, added `NODE_OPTIONS=--max-old-space-size=4096` to handle OOM during Vite build. ## Type of change Please delete options that are not relevant. - [x] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? - Tested on heroku ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules |
||
|
dependabot[bot]
|
610495123e
|
chore(deps): bump rack from 3.2.2 to 3.2.3 (#12642)
Bumps rack from 3.2.2 to 3.2.3. |
||
|
Shivam Mishra
|
f89ed56258
|
feat: update rack version (#12628)
Fixes CI failing at bundle audit for a [rack vulnerability](https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c) |
||
|
Vishnu Narayanan
|
e9c1c61fe4
|
chore(deps): bump uri from 1.0.3 to 1.0.4 (#12619)
fix CVE-2025-61594 |
||
Muhsin Keloth
|
44fab70048
|
feat: Add support for grouped file uploads in Slack (#12454)
Fixes https://linear.app/chatwoot/issue/CW-5646/add-support-for-grouped-file-uploads-in-slack Previously, when sending multiple attachments to Slack, we uploaded them one by one. For example, sending 5 images would result in 5 separate Slack messages. This created clutter and a poor user experience, since Slack displayed each file as an individual message. This PR updates the implementation to group all attachments from a message and send them as a single Slack message. As a result, attachments now appear together in one grouped block, providing a much cleaner and more intuitive experience for users. **Before:** Each file uploaded as a separate Slack message. <img width="400" height="800" alt="before" src="https://github.com/user-attachments/assets/c8c7f666-549b-428f-bd19-c94e39ed2513" /> **After:** All files from a single message grouped and displayed together in one Slack message (similar to how Slack natively handles grouped uploads). <img width="400" height="800" alt="after" src="https://github.com/user-attachments/assets/0b1f22d5-4d37-4b84-905a-15e742317e72" /> **Changes** - Upgraded Slack file upload implementation to use the new multiple attachments API available in slack-ruby-client `v2.7.0`. - Updated attachment handling to upload all files from a message in a single API call. - Enabled proper attachment grouping in Slack, ensuring related files are presented together. |
||
|
Pranav
|
e3020fbe2c
|
fix: Use case sensitive filter for phone_numbers (#12470)
The contact filter APIs were timing out due to the case‑insensitive
filter. There is no index for lower case phone numbers, so it would
perform a table scan, potentially examining 8 million records or more at
a time.
This change should fix the issue.
I am changing the filter to use direct comparison without lower‑case.
**Previous:**
```sql
SELECT contacts.*
FROM contacts
WHERE contacts.account_id = $1
AND (
LOWER(contacts.phone_number) = '<number>'
OR LOWER(contacts.phone_number) = '<other-number>'
)
ORDER BY contacts.created_at DESC NULLS LAST
LIMIT $2
OFFSET $3
```
**Updated:**
```sql
SELECT contacts.*
FROM contacts
WHERE contacts.account_id = $1
AND (
contacts.phone_number = '<number>'
OR contacts.phone_number = '<other-number>'
)
ORDER BY contacts.created_at DESC NULLS LAST
LIMIT $2
OFFSET $3
```
Fixes:
https://linear.app/chatwoot/issue/CW-5582/contact-filter-timing-out
|
||
|
Tanmay Deep Sharma
|
239c4dcb91
|
feat: MFA (#12290)
## Linear: - https://github.com/chatwoot/chatwoot/issues/486 ## Description This PR implements Multi-Factor Authentication (MFA) support for user accounts, enhancing security by requiring a second form of verification during login. The feature adds TOTP (Time-based One-Time Password) authentication with QR code generation and backup codes for account recovery. ## Type of change - [ ] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? - Added comprehensive RSpec tests for MFA controller functionality - Tested MFA setup flow with QR code generation - Verified OTP validation and backup code generation - Tested login flow with MFA enabled/disabled ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|
Shivam Mishra
|
79b93bed77
|
feat: SAML authentication controllers [CW-2958] (#12319) | ||
|
Sojan Jose
|
0a9edd4c3b
|
ci(circleci): switch coverage reporting to Qlty orb (#12337) | ||
|
Pranav
|
0c2ab7f5e7
|
feat(ee): Setup advanced, performant message search (#12193)
We now support searching within the actual message content, email subject lines, and audio transcriptions. This enables a faster, more accurate search experience going forward. Unlike the standard message search, which is limited to the last 3 months, this search has no time restrictions. The search engine also accounts for small variations in queries. Minor spelling mistakes, such as searching for slck instead of Slack, will still return the correct results. It also ignores differences in accents and diacritics, so searching for Deja vu will match content containing Déjà vu. We can also refine searches in the future by criteria such as: - Searching within a specific inbox - Filtering by sender or recipient - Limiting to messages sent by an agent Fixes https://github.com/chatwoot/chatwoot/issues/11656 Fixes https://github.com/chatwoot/chatwoot/issues/10669 Fixes https://github.com/chatwoot/chatwoot/issues/5910 --- Rake tasks to reindex all the messages. ```sh bundle exec rake search:all ``` Rake task to reindex messages from one account only ```sh bundle exec rake search:account ACCOUNT_ID=1 ``` |
||
|
Vishnu Narayanan
|
1a1dfd09cb
|
chore: add tidewave gem for development (#12236)
- add tidewave gem for development ref: https://github.com/tidewave-ai/tidewave_rails |
||
|
Sojan Jose
|
530125d4c5
|
chore(deps): upgrade twilio-ruby to 7.6.0 for upcoming features (#12243)
### Summary - Update Twilio gem to support latest features and API changes. - No app code changes; Gemfile and Gemfile.lock only. references: #11602 , #11481 ### Testing - Existing Twilio SMS: send/receive still works; delivery status updates. - Existing Twilio WhatsApp: send/receive still works; templates (if used) unaffected. - Create new Twilio SMS/WhatsApp inboxes: can be created and can send/receive messages. Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |