CodeCow/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-06-04 21:05:33 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,134 Commits 155 Branches 104 Tags 136 MiB
next
Commit Graph

6134 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
James George
e067ee0b32
fix(common): preserve collection tree on OpenAPI re-import (#6376)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details
2026-05-28 16:23:13 +05:30
Charlie Freeman
029aa9246c
feat: add Mongolian translation (#6344) 
Co-authored-by: cf3901646 <cf3901646@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-28 16:20:17 +05:30
Mir Arif Hasan
feaf990af6
fix: class validation issue for updateRESTUserRequest (#6373)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
* fix: class validation issue for updateRESTUserRequest

* test: modified user-req unit test cases
 2026-05-27 13:33:46 +06:00
James George
6e1c9764ce chore: enforce minimumReleaseAge for supply chain hardening 2026-05-26 12:48:33 +05:30
James George
7e39764260 chore: bump version to 2026.5.0 2026-05-26 12:16:42 +05:30
Shreyas
e51e54183e
fix(desktop): align appload types and resolve shell import alias (#6369) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 12:14:39 +05:30
Gavin McDonough
3836d70e71
feat(common): add OpenAPI 3.1 collection export (#5880) 
Co-authored-by: gavin mcdonough <mcdgavin@users.noreply.github.com>
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:47:44 +05:30
Shreyas
5456b47c52
feat(desktop): zoom level control in settings (#6358) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:37:49 +05:30
Mir Arif Hasan
c85687a8c7
feat: make proxy URL configurable from env and admin dashboard (#6336) 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:17:52 +05:30
Anwarul Islam
4405dbf6c3
fix(common): wait for proxy settings before issuing requests (#6333) 2026-05-25 23:44:50 +05:30
Nivedin
44f58d13c8
fix: stop secret variable values from leaking to backend (#6279)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-22 18:26:46 +05:30
Mir Arif Hasan
daeb352efd
chore: security patch for the dependency chain v2026.5.0 (#6338) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-22 17:16:11 +05:30
James George
3480a90181 chore: merge hoppscotch/main into hoppscotch/next
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details
2026-05-14 13:53:34 +05:30
James George
e3853bb764 chore(cli): bump version to 0.31.2
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details
2026-05-14 13:26:20 +05:30
James George
b4f9e7f726 chore: merge hoppscotch/main into hoppscotch/patch 2026-05-14 12:11:08 +05:30
James George
c77de598ef chore(cli): bump version to 0.31.1 2026-05-13 23:19:06 +05:30
James George
0884346f14 chore: bump version to 2026.4.1 2026-05-13 23:18:24 +05:30
Shreyas
e04ef445c4
feat(desktop): settings phase 3a - keyboard layout strategy (#6289)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-12 13:33:34 +05:30
James George
d1fc70d724
fix: preserve script imports and avoid WebKit lookbehind (#6306) 2026-05-12 11:17:31 +05:30
Mir Arif Hasan
13245cd048
fix: class validator decorator usages (#6293)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
* fix: class validator decorator usages

* fix: feedback
 2026-05-11 22:16:12 +06:00
Nahid Hasan
a05a16efa0
fix(security): prevent mass assignment in onboarding (#6171) 
* fix(backend): prevent mass assignment in onboarding config endpoint

The unauthenticated POST /v1/onboarding/config endpoint mapped the
request body directly to InfraConfigEnum keys, allowing an attacker on
a fresh install to inject sensitive values such as JWT_SECRET and
SESSION_SECRET, enabling forged admin JWTs and full takeover.

Four independent weaknesses combined to make this exploit possible.
This commit addresses each in layers so the fix holds even if any
single layer regresses:

- main.ts: enable `whitelist: true` on the global ValidationPipe so
  properties not declared on any DTO are stripped before reaching any
  controller / service. This is the primary mitigation described in
  the advisory.

- onboarding.controller.ts: scope an additional ValidationPipe
  (`whitelist` + `forbidNonWhitelisted`) on the onboarding POST body
  so requests containing unknown fields are explicitly rejected with
  400 instead of silently dropped.

- infra-config.service.ts (updateOnboardingConfig): introduce an
  `ONBOARDING_ALLOWED_KEYS` allowlist so any `InfraConfigEnum` key
  not part of the documented onboarding surface (OAuth, SMTP) is
  dropped server-side before being persisted, even if earlier layers
  regress.

- infra-config.service.ts (validateEnvValues): explicitly reject
  `JWT_SECRET`, `SESSION_SECRET` and `ALLOW_SECURE_COOKIES` so these
  keys can never be written through any infra-config code path,
  replacing the prior `default: break` behaviour that silently
  accepted them.

Fixes GHSA-j542-4rch-8hwf

* fix(backend): harden onboarding config validation and add sensitive infra-config tests

* chore: cleanup

* chore: class validator implemented in dto layer

* fix: arguments

* fix: api feedback

---------

Co-authored-by: “mirarifhasan” <arif.ishan05@gmail.com>
 2026-05-07 17:46:20 +06:00
James George
cbb32d1aac
fix(cli): ship semver as a runtime dependency (#6257)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details
2026-05-01 15:17:13 +05:30
James George
7036ab5b53
fix(common): preserve string contract for GQL history responses (#6244) 2026-04-29 17:11:33 +05:30
Nivedin
aee017ced3
fix(common): subfolder add-new in team collections respects write access (#6243) 2026-04-29 14:15:49 +05:30
Nivedin
50f16e2ab5
fix(common): set domain url as mockserver environment (#6185) 2026-04-29 12:14:02 +05:30
Mir Arif Hasan
c4e1f02abf
fix(backend): harden onboarding config endpoint (#6240) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-29 00:10:03 +05:30
James George
f344d4e395 chore(common): add token_refresh auth event and harden no-sync flag 2026-04-28 18:58:51 +05:30
James George
3073d156b4 chore(agent): bump version to v0.1.17 2026-04-28 18:18:29 +05:30
Mir Arif Hasan
078d71036b
chore: security patch for the dependency chain v2026.4.0 (#6191)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 17:51:43 +05:30
Shreyas
96ceb84df9
fix(desktop): unified store scope and migration reroute (#6238) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 14:59:10 +05:30
James George
df97d11753
fix(common): restore magic-link sign-in flow on cloud for orgs (#6237) 2026-04-28 14:02:50 +05:30
James George
bb1c9a9fe9 chore: formatting updates 2026-04-28 00:50:16 +05:30
James George
50fd27564e chore: bump CLI version 2026-04-28 00:49:21 +05:30
James George
67782b2b30 chore: bump version to 2026.4.0 2026-04-28 00:48:24 +05:30
Rodrigo Kellermann
40ac84c115
feat(selfhost-web): make webapp-server timeouts configurable (#6147) 
Signed-off-by: Rodrigo Kellermann <kellermann@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 00:45:41 +05:30
Shreyas
9861ee84ad
feat(desktop): settings phase 0 - infra and update check (#6172) 
Co-authored-by: VicenzoMF <81040684+VicenzoMF@users.noreply.github.com>
 2026-04-28 00:36:06 +05:30
Anwarul Islam
15d12f8ce5
fix(common): support id_token in Authorization Code OAuth flow (#6144) 2026-04-28 00:34:02 +05:30
John An
696ddc336c
feat: add collection-level pre-request and test scripts (#5745) 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: “mirarifhasan” <arif.ishan05@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-27 23:48:52 +05:30
James George
00c75b9de0 chore: merge hoppscotch/main into hoppscotch/next
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details
2026-04-23 23:35:22 +05:30
Nivedin
0cdf8de02d
fix(common): apply platform default proxy URL on load and reset (#6142) 2026-04-23 18:25:26 +05:30
Shreyas
6fc63d0792
docs: security threat model and policy update (#6158)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-23 17:35:02 +05:30
Shreyas
84f774265b
fix: remediate quinn-proto vulnerability across native packages (#6174) 
Co-authored-by: orbisai0security <242526317+orbisai0security@users.noreply.github.com>
 2026-04-22 23:55:27 +05:30
Nivedin
30df20ea7a
feat(common): improve API documentation publishing UX (#6116) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-22 23:05:40 +05:30
sahilkhan09k
bc3dbdea42
fix: improve environment validation in published docs (#5962) 2026-04-22 21:55:10 +06:00
Mir Arif Hasan
eb801889ba
feat: add SMTP OAuth2 authentication support (#6141)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-22 17:11:03 +05:30
Aaron Fort Garcia
7be31a2986
fix(common): variable hover tooltip was not clickable (disappeared) (#6155) 2026-04-21 19:15:18 +05:30
Rishu ray
a0740399b1
fix(common): add missing aria-labels to icon-only sidenav links (#6160) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-20 18:30:54 +05:30
James George
3a4b6d8157 chore: merge hoppscotch/main into hoppscotch/next 2026-04-20 18:18:33 +05:30
Denny Jiang
3d19cf5c79
chore(common): modify Chinese translation of words (#5996)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-17 21:00:11 +05:30
Serhat
a21ca7ed5a
chore(common): complete missing Turkish translations (#6071) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-17 19:45:03 +05:30