Fredrik Strand Oseberg
c75779e677
refactor: colorpicker ( #9668 )
...
This PR refactors the color picker so we stick to one set of colors
instead of changing available colors when theme changes. Colors picked
also work in dark theme and is aligned with UX.
2025-04-01 12:32:13 +02:00
David Leek
c21ed3ed5e
chore: add flags to control network route links from menu ( #9667 )
2025-04-01 11:18:32 +02:00
renovate[bot]
097c83edfb
chore(deps): update dependency vite to v5.4.16 [security] ( #9666 )
...
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev )
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite ))
| [`5.4.15` ->
`5.4.16`](https://renovatebot.com/diffs/npm/vite/5.4.15/5.4.16 ) |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
### GitHub Vulnerability Alerts
####
[CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 )
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host )) are
affected.
### Details
- base64 encoded content of non-allowed files is exposed using
`?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`
`/@​fs/` isn't needed to reproduce the issue for files inside the
project root.
### PoC
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read
arbitrary files and returns the file content if it exists. Base64
decoding needs to be performed twice
```
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
```
Example full URL
`http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init `
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v5.4.16`](https://redirect.github.com/vitejs/vite/compare/v5.4.15...v5.4.16 )
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.15...v5.4.16 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-01 09:01:45 +00:00
Gastón Fournier
096e466148
chore: bump slack dependency ( #9664 )
2025-04-01 08:56:02 +00:00
David Leek
f7dbfe1162
chore: admin menu enterprise badge ( #9656 )
2025-04-01 09:13:40 +02:00
renovate[bot]
98a0fba1cb
chore(deps): update dependency vite to v5.4.15 [security] ( #9663 )
...
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev )
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite ))
| [`5.4.14` ->
`5.4.15`](https://renovatebot.com/diffs/npm/vite/5.4.14/5.4.15 ) |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
### GitHub Vulnerability Alerts
####
[CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w )
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host )) are
affected.
### Details
`@fs` denies access to files outside of Vite serving allow list. Adding
`?raw??` or `?import&raw??` to the URL bypasses this limitation and
returns the file content if it exists. This bypass exists because
trailing separators such as `?` are removed in several places, but are
not accounted for in query string regexes.
### PoC
```bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt "
<body>
<h1>403 Restricted</h1>
<p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.
# security bypassed
$ curl "http://localhost:5173/@​fs/tmp/secret.txt?import&raw ??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v5.4.15`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.15 )
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.14...v5.4.15 )
Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.15/packages/vite/CHANGELOG.md )
for details.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-31 16:20:38 +00:00
renovate[bot]
be41869568
fix(deps): update dependency @slack/web-api to v7.9.1 ( #9661 )
...
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@slack/web-api](https://tools.slack.dev/node-slack-sdk/web-api )
([source](https://redirect.github.com/slackapi/node-slack-sdk )) |
[`7.9.0` ->
`7.9.1`](https://renovatebot.com/diffs/npm/@slack%2fweb-api/7.9.0/7.9.1 )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
### Release Notes
<details>
<summary>slackapi/node-slack-sdk (@​slack/web-api)</summary>
###
[`v7.9.1`](https://redirect.github.com/slackapi/node-slack-sdk/releases/tag/%40slack/web-api%407.9.1 )
[Compare
Source](https://redirect.github.com/slackapi/node-slack-sdk/compare/@slack/web-api@7.9.0...@slack/web-api@7.9.1 )
#### What's Changed
This release fixes a bug where setting
[`allowAbsoluteUrls`](https://tools.slack.dev/node-slack-sdk/reference/web-api/interfaces/WebClientOptions/#allowabsoluteurls )
to **false** caused the
[`filesUploadV2`](https://tools.slack.dev/node-slack-sdk/web-api/#upload-a-file )
method to error when uploading files. Files can now be uploaded with
`allowAbsoluteUrls` set to **false**.
##### Bug fixes 🐛
- fix(web-api): complete file upload v2 calls if absolute urls are not
allowed in
[https://github.com/slackapi/node-slack-sdk/pull/2196 ](https://redirect.github.com/slackapi/node-slack-sdk/pull/2196 )
- Thanks [@​zimeg](https://redirect.github.com/zimeg )!
##### Maintenance 🧰
- test(web-api): use channel_id instead of channels with files upload v2
in
[https://github.com/slackapi/node-slack-sdk/pull/2197 ](https://redirect.github.com/slackapi/node-slack-sdk/pull/2197 )
- Thanks [@​zimeg](https://redirect.github.com/zimeg )!
**Full Changelog**:
https://github.com/slackapi/node-slack-sdk/compare/[@​slack/web-api](https://redirect.github.com/slack/web-api)[@​7](https://redirect.github.com/7).9.0...[@​slack/web-api](https://redirect.github.com/slack/web-api)[@​7](https://redirect.github.com/7).9.1
**Milestone**: https://github.com/slackapi/node-slack-sdk/milestone/142
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "after 7pm every weekday,before 5am
every weekday" in timezone Europe/Madrid, Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-31 16:09:46 +00:00
Gastón Fournier
d11f39e401
chore: expose custom strategy metrics in prometheus ( #9657 )
...
## About the changes
These metrics are sent to version info but not exposed in prometheus and
they can provide valuable data about their usage
2025-03-31 16:02:50 +02:00
Gastón Fournier
ef1b6ec227
chore: decrease ui observability to warn ( #9658 )
...
These errors are not acted upon and is not something we can act on.
Reducing it's level to WARN following
https://github.com/Unleash/unleash/blob/main/website/docs/contributing/ADRs/overarching/logging-levels.md
2025-03-31 16:02:28 +02:00
Thomas Heartman
89f63285a0
Fix: Move hooks to before we bail if the flag is off. ( #9659 )
...
This fixes the a react crash when we render more/fewer hooks than on the
previous render if the flag state changes.
2025-03-31 13:59:09 +00:00
Gastón Fournier
eae7535bfc
feat: remove access overview flag making it GA ready ( #9654 )
...
This is exposing information we already have about permissions in a UI
that should help users have an overview of the permissions of a user
with regards to projects and environments
2025-03-31 14:33:38 +02:00
Tymoteusz Czech
ce230ba96b
Fix: separate segment and constraint accordions ( #9652 )
...
Segment accordion should not share state with constraint accordions inside
2025-03-31 12:11:34 +00:00
Mateusz Kwasniewski
3ced6a3780
refactor: environments in feature directory ( #9650 )
2025-03-31 13:58:37 +02:00
Mateusz Kwasniewski
1f1b00c38f
chore: fixing typo pre-defined ( #9651 )
2025-03-31 13:58:22 +02:00
Fredrik Strand Oseberg
aa6c422165
Feat/tag type frontend display ( #9630 )
...
Add frontend for displaying tag colors
2025-03-31 11:55:49 +02:00
Mateusz Kwasniewski
9de0e7435b
feat: enforce env change request on project create ( #9646 )
2025-03-31 09:29:20 +02:00
David Leek
5a55181561
feat: show only link to /admin in mobile menu ( #9647 )
2025-03-31 08:37:15 +02:00
Jaanus Sellin
b55732d719
fix: tooltips not working after base element is also clicked ( #9629 )
2025-03-31 08:59:08 +03:00
Thomas Heartman
398246c3ec
Chore/remove badges from tab order ( #9643 )
...
Makes badges not tabbable by default instead of tabbable by default.
Turns out, badges aren't tabbable by default and they never were until I
made them as much (for some reason that I don't quite understand now).
Anyway, I've gone through the list of uses for the Badge element and
made any element that should be reachable by tab either have an explicit
tab index (if it's within a tooltip, for instance), or be wrapped in a
Link (instead of having an on-click handler). The two places I've
wrapped it in a link, I've also gone and changed the item group to be a
list (for HTML semantics). I've also updated some spacing for the
profile tab.
Application list (one is before, one is after. don't remember which is
which; it's now a list):
Profile page (now a list + improved spacing)
Before:
After:
2025-03-28 15:05:32 +00:00
Thomas Heartman
fc0383620b
fix: focus styles for env headers ( #9635 )
...
Adds focus styles to the env accordion header only when the focus is on
the header itself (not on the env toggle inside the header). The focus
style is consistent with what we do for other accordions (dashboard,
milestones).
Middle one is focused:
Focus is on the toggle inside the top one (yeh, we should have better
focus styles for toggles; but that's not for now):
Open and focused:
Getting the consistent background for the header when it's open is a
little tricky because the accordion container and summary are split into
different files. ~~This first iteration used a class name for the
specific header (because envs can have multiple accordion headers inside
them, e.g. release plans) and setting a CSS variable in the summary, so
that the background matches.~~ I found out that I only need to set it in
the parent anyway 😄
Without it, you get this (notice that there is a little white outside
the lower corners):
2025-03-28 15:59:25 +01:00
Christopher Kolstad
14c8b97441
task: added a hook for cleanly deciding new or old admin menu ( #9645 )
2025-03-28 14:45:09 +01:00
David Leek
5da9f75014
chore: fix weird alignment issue with main content and admin menu ( #9636 )
2025-03-28 13:22:13 +01:00
Tymoteusz Czech
db1ec7ffa6
fix: feedback button ( #9644 )
...
Fix alignment of "add strategy" & "add template" buttons
---------
Co-authored-by: Simon Hornby <sighphyre@users.noreply.github.com>
2025-03-28 11:48:24 +00:00
Melinda Fekete
2d3d6aa38a
Docs for release management ( #9555 )
2025-03-28 10:42:39 +01:00
Simon Hornby
8793d9e632
chore: swap release template instruction svgs for pngs ( #9642 )
2025-03-28 10:47:36 +02:00
David Leek
78dfbde007
fix: Back to Unleash onClick+useNavigate instead of href ( #9641 )
2025-03-28 09:34:48 +01:00
David Leek
39755c7f19
fix: useLocation instead of browser location for resolving pathname ( #9640 )
2025-03-28 08:54:21 +01:00
Simon Hornby
7f98709730
fix: fixes an issue where the new feedback button on the config strategy pane ( #9638 )
2025-03-27 16:43:14 +01:00
Mateusz Kwasniewski
f97924eb36
feat: enforce change request settings in create project dialog ( #9637 )
2025-03-27 16:15:09 +01:00
Simon Hornby
e53e2ca0c7
chore: ux feedback on release templates ( #9634 )
...
Makes two small changes to the release template UI based on walkthrough
feedback with UX
1) The how-to descriptions for creating release plans won't get hidden
when the user has created release plans. We think too much is better
than too little. At a later point we'll push users to documentation more
aggressively
2) The warning for when the user taps the "Use template" button now has
a line break to give it some breathing room and will render anchored to
the bottom left of the originating button rather than covering it
2025-03-27 16:31:47 +02:00
Simon Hornby
b5e52a6160
chore: feedback link on feature strategy ( #9633 )
...
Adds a new link on the feature strategy that points to the feedback link
(pops out new window, only renders if release plans are enabled)
---------
Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2025-03-27 15:19:14 +02:00
Mateusz Kwasniewski
53a4f61260
feat: enabled change requests reacting to available environments ( #9631 )
2025-03-27 13:46:29 +01:00
Tymoteusz Czech
cf053470e5
feat: improve constraints item on small screens ( #9609 )
...
Fixing constraint operator item, items alignment and padding for better presentation on mobile devices.
2025-03-27 13:33:25 +01:00
David Leek
f7c04cc2cb
feat: admin menu for mobile ( #9626 )
2025-03-27 13:28:44 +01:00
Mateusz Kwasniewski
6b793677b9
feat: preselect change request settings in create project ( #9625 )
2025-03-27 12:17:21 +01:00
Mateusz Kwasniewski
cc0348beba
feat: show environments with change requests ( #9628 )
2025-03-27 12:16:04 +01:00
Simon Hornby
47c6f43865
chore: add some getting started info and images when you have no release plans ( #9627 )
2025-03-27 12:58:56 +02:00
Thomas Heartman
138e93c41a
chore: drag-n-drop tooltip for strategies ( #9623 )
...
Implements the drag-n-drop tooltip the first time the user sees a
strategy drag handle on the feature env overview. It uses React Joyride,
which is the same system we use for the demo.
The design is a little different from the sketches because I couldn't
find a quick way to move the content (and the arrow) to be shifted
correctly.
If the demo is also active the first time a user visits a strategy page,
it'll render both the demo steps and this, but this tooltip doesn't
prevent the user from finishing the tour. It might be possible to avoid
that through checking state in localstorage, but I'd like to get this
approved first.
The tooltip uses the auth splash system to decide whether to show the
tooltip, meaning it's stored per user in the DB. To avoid it
re-rendering before you refetch from the back end, we also use a
temporary variable to check whether the user has closed it.
Rendered:
If the tour is also active:
2025-03-27 11:16:37 +01:00
Simon Hornby
6aae9be19c
chore: add a message stating no templates when there aren't any ( #9624 )
2025-03-27 11:34:45 +02:00
Simon Hornby
01f3af4bda
chore: whats new dialog ( #9622 )
...
Adds a new dialog option for whats in new in Unleash items. This can be
tiggerred by setting `popout` to true when configuring the items.
To do this without setting fire to the code, I've also needed to
refactor the NewInUnleash components:
- NewInUnleashItem becomes a dumb item that decides if a dialog or
tooltip should be rendered and controls that render state
- The child item in NewInUnleashItem has been moved out into
NewInUnleashSideBarItem, which feels a bit better since that is a
distinct UI element from the popup
- NewInUnleashDialog now exists, which is a dialog version of the popup.
Meaningfully different to ask for a new component
## Screenshots
2025-03-27 11:30:24 +02:00
Mateusz Kwasniewski
1bd328f4e1
feat: create and edit environment required approvals ( #9621 )
2025-03-26 15:54:46 +01:00
David Leek
07a4106f48
feat: admin menu ( #9617 )
2025-03-26 15:08:56 +01:00
Thomas Heartman
328c5368ed
Hide env metrics when an env has no strategies. ( #9620 )
...
Changes the logic in when we display metrics for an env to not showing
them unless we have strategies.
2025-03-26 13:43:12 +00:00
Jaanus Sellin
18d1a6c1bc
feat: show seats used only for full enterprise customers ( #9618 )
2025-03-26 14:53:51 +02:00
Fredrik Strand Oseberg
832b651f5b
fix: flaky test once an hour ( #9615 )
...
This test was flaky once an hour because subminutes 3 made it fall into
the wrong bucket when tests were run exactly or minutes after the our
had passed.
Also, the databases created were created with the system clock. I
altered it to be explicitly UTC.
2025-03-25 22:25:32 +01:00
Gastón Fournier
380d2c2c5d
feat: release template feedback module ( #9614 )
...
## About the changes
Adds a release template feedback module to release templates:
It uses the Card component by defining a new variant of it.
---------
Co-authored-by: Nuno Góis <github@nunogois.com>
2025-03-25 17:01:04 +01:00
Nuno Góis
b885a927e6
chore: stylable card ( #9604 )
...
https://linear.app/unleash/issue/2-3442/make-card-component-stylable
Makes the Card component introduced in
https://github.com/Unleash/unleash/pull/9096 stylable.
E.g.
```tsx
const StyledCard = styled(Card)(({ theme }) => ({
backgroundColor: 'pink',
}));
```
2025-03-25 16:39:32 +01:00
Mateusz Kwasniewski
4677b28aee
feat: persist env required approvals ( #9616 )
2025-03-25 16:04:14 +01:00
Mateusz Kwasniewski
497cbcdef2
feat: environment required approvals migration ( #9612 )
2025-03-25 15:33:58 +01:00
Christopher Kolstad
a672292425
feat(docs): Added ADR for logging levels ( #9580 )
...
This PR starts an ADR for logging levels, and how to make your
coworkers' days who are on-call less noisy.
This is my initial suggestion. Please feel free to help me with fleshing
out both the table for what log levels means to you or if you disagree
with what I've put as a background.
My impression is that we are pretty good at this, but we could be
better, and having an ADR to lean on when pushing back on PR's log
levels could help us.
Thanks to @kwasniew for the push to start the ADR.
Examples:
*
038c10f612/src/lib/db/account-store.ts (L164-L173)038c10f612/src/lib/features/client-feature-toggles/delta/client-feature-toggle-delta.ts (L363-L370)293304a5d6/src/traffic-data/traffic-data-usage-service.ts (L69)
2025-03-25 14:06:37 +00:00
